Home

Avaya Business Communications Manager - Configuration - Remote Worker Configuration manual

Contents

1. PSK Password lt user_password gt lt user_password gt N A XAUTH dis ena dis XAUTH UserID N A lt user_password gt N A XAUTH Password N A lt user_password gt N A Primaryserver lt FQDN gt lt FQDN gt lt FQDN gt Secondaryserver lt FQDN gt lt FQDN gt lt FQDN gt Root Cert N A N A lt required gt Device Cert N A N A lt required gt Note Main mode is not supported if client termination resides on the BCM system Remote worker configuration when branch tunnels are used You can deploy VPN Client tunnels the Avaya BCM50a e when VPN branch tunnels are used When you deploy VPN Client tunnels in this manner the number of active tunnels you can have is limited on the BCM50a e Complete the following procedure to establish a VPN between two sites using a VPN branch tunnel The recommended method to do this is through a branch to branch IPSec tunnel For more information see BCM50e Integrated Router Configuration Basics NO115788 O a A Q N In VPN Summary add a new tunnel by editing an unused rule Create an Active Branch Office tunnel Select Nailed Up if the tunnel should not be closed while not in use Select Main for Negotiation Mode Enter the authentication information with either a pre shared key or an imported certificate Enter the IP Address assigned to the router WAN port This should be a static address or a dynamic DNS name and the IP address of the remote router Select th
2. see Business Communications Manager 6 0 Administration Remote Worker NN40171 600 Configuration parameters You can manually configure VPN using the Network Configuration screen on the IP phone If Auto Provisioning is enabled for VPN default you can install the full VPN configuration on the phone using configuration and provisioning files without manually entering the parameters The following tables show the mapping between the Network Configuration screen parameters and the Auto Provisioning parameters including the allowed values and defaults Table 1 Network Configuration screen and with Auto Provisioning configuration parameters Configuration parameter Default value Provisioning parameter Provisioning values VPN Enable Disabled vpn y Enabled n Disabled VPN Router Type Avaya VPN vpntype 1 Avaya VPN Mode Aggressive vpnmode aggressive main Authentication PSK vpnauth psk certificate XAuth None vpnxauth 0 None 1 Password PSK User ID lt Empty gt vpnpskuser lt string gt PSK Password lt Empty gt vpnpskuser lt string gt XAuth User ID lt Empty gt vpnxuthuser lt string gt XAuth Password lt Empty gt vpnxauthpwd lt string gt VPN Server 1 lt Empty gt vpns1 lt string gt IP address or FQDN see Note Avaya Business Communications Manager 6 0 Configuration Remote Worker 24 Chapter 3 Provisioning the VPN Table 1 Network Configuration scre
3. a VPN tunnel to the VPN gateway for the first time after which the set accepts the banner without user intervention If you change the VPN primary gateway VPN Server 1 parameter the new security banner is displayed You must accept the Security Banner to establish a tunnel and allow data traffic If you select Cancel you are prompted to accept the security Banner again Licensing The VPN feature requires a license for each set you want to connect remotely When you first power on the set or when the set establishes the tunnel the VPN feature queries the license client to determine if the set has sufficient licensing tokens If system denies the license request telephony services are restricted Local menus such as Diagnostics Provisioning and Configuration menus can still be activated The VPN Tunnel will still activate which allows you obtain valid license file and provisioning information Avaya Business Communications Manager 6 0 Configuration Remote Worker 18 Chapter 2 Virtual private network configuration overview The IP set downloads the license files automatically from the BCM when it establishes a connection to the BCM call server For more information about using the BCM system as an HTTP server for downloading license and configuration files see Using the BCM as an HTTP server for downloading license and configuration files page 18 Node locked licensing Node locked licensing is intended primarily for small
4. en dade 3 Customer Servite ccr co cchs cee lnewsckiccsewiereksdesetseueuseus 5 CE ICS It i aed ee er ee ST ee re ere eee ee 5 Getting technical documentation 0 0 00 cece 5 Geno product ANNO sirrrirs eteti EERE A E E 5 Getting help from a distributor or reseller nunana nnana 5 Getting technical support from the Avaya Web site 005 5 Getting started with remote worker support 200ee ee eeeee 7 About remote worker SUpport 2 20 26 ceo caw vee ee ke ee ee be ee eed ae 7 AUGGNCE srersiisiskisseicenri aitanta t r SRC RETO aaae REECE ES 7 e ei a EEEE L BSS MESA E E EE E E S E ET T 8 Symbols and itext conventions 16 iescrcegeeksceees eae eed IREE decd EEEE 8 Related publications cssrsrrissreecesridsekei r SERRE REE EE EERE ER RE 9 Virtual private network configuration overview ssssssssssss 11 PONE OE EEIE E amp Lona eth ike ET E E A EE T 11 Network COMIQUIATION occ cc eee etter dear ee RRR ERE REE RE rer E EEES 11 VPN goniguialons Suppo ees croissante tt katai HORSE ERED RRS ERE 14 Remote worker configuration when branch tunnels are used 15 Security credentials s 2eckexeewce eee Sei cdebeawie sc eGh es ESR cede Seen 16 VPN Secun BONNEY 22 d siws cal oer is Shi ula wee ons Seed S 17 LOSI cc nuwdpingee uke pret ey hengieat Come eaten wERGben at FAATAA 17 Node ocked NIGENSING 2c cc 10455500 c oe bby tadatta de bee ew ee ae aka eE 18 Using the BCM as an HTTP server for downloading licens
5. in the token The token is verified against the firmware build date first If verification of the contract date fails the licensing client requests an expiry type keycode from the server to fulfill the initial request The licensing client always requests an SRS type keycode first and an expiry based keycode only if verification of the former fails Licensing user interface The licensing feature introduces a new submenu to the existing Local diagnostics menu in the IP phone interface In the IP phone licensing submenu select 7 to see your current licensing information Avaya Business Communications Manager 6 0 Configuration Remote Worker 20 Chapter 2 Virtual private network configuration overview Figure 4 Licensing interface main menu IP Set and DHCP Information Network Diagnostic Tools Ethernet Statistics IP Network Statistics USB Devices Advanced Diag Tools License Information VPN Statistics oaaae Wh If the type of active license on the phone is node locked and time based the License Type field indicates this and shows the expiry date of the license token Figure 5 Node locked mode licensing time based license token 1 License Mode Node Locked Status Active License Type Time Based License Expiry 2009 12 31 2 Tokens Allocated 3 3 Tokens Remaining 2 4 Licensed Features 2 SCR 34 Party 2 VPN 1 If the type of active license on the phone is node locked and SRS based the License Type field i
6. optional and is disabled in this setup No VPN configuration is required to allow VPN client termination Telnet is enabled for management purposes The following code sample provides a view of the router configuration conf t hostname avaya_remote telnet_server interface ethernet 0 ip address 47 135 150 65 255 255 254 0 nat enable static enable dynamic no reverse trans_addr 47 135 150 65 trans mode overfl exit 2 Ow interface ethernet 1 ip address 192 1 exit 2 168 2 1 255 255 255 0 ip route 0 0 0 0 0 0 0 0 47 135 150 1 1 exit NN40171 505
7. provisioning screen and manually provision your IP address When you have manually configured the phone return to the Prepare Phone for Configuration screen and click Yes to confirm that the phone is now in Listening Mode With the phone in Listening Mode in the Autodiscover Phone screen allow the Wizard to detect your phone If more than one IP phone is discovered verify the MAC address on the label on the back of your phone Select the correct MAC address from the drop down list in the Wizard screen NN40171 505 Chapter 3 Provisioning the VPN 27 14 When the phone is discovered record the details indicated in the Confirmation and Finish Screen 15 Click Finish Avaya Business Communications Manager 6 0 Configuration Remote Worker 28 Chapter 3 Provisioning the VPN NN40171 505 29 Chapter 4 Remote worker configuration overview Avaya Business Communications Manager 6 0 BCM 6 0 introduces the UNIStim remote worker feature The remote worker feature is an alternative to configuring a virtual private network VPN for IP sets to connect to the BCM You can configure the remote worker feature to support the registration of UNIStim terminals located on a public network as UNIStim remote users with an Avaya BCM located on the corporate network The public network where the UNIStim terminals reside can be located on the public network or on private networks behind home routers A home router can al
8. upgrade their Unistim to version 4 which is required to support the VPN remote worker feature The VPN Remote PC Application is a wizard style stand alone Java application that runs on Windows XP Windows Vista and Mac platforms The application supports 25 languages The VPN Remote PC Application is supported on the following IP deskphones e 1120E e 1140E The VPN Remote PC Application simplifies VPN setup on the phone by e supporting configuration files packed in a zip file e using built in TFTP HTTP servers that allow the application to act as a provisioning server to update the phone software and to provision VPN parameters e using a discovery service that detects phones automatically e eliminating the need for the user to manually configure the phone Without the VPN Remote PC Application the end user must set up the phone manually To setup VPN on the phone manually the end user must have e network specific knowledge e phone installation in the network e phone specific knowledge e interaction with HTTP TFTP FTP server HTTP TFTP or FIP server e zip application Avaya Business Communications Manager 6 0 Configuration Remote Worker 26 Chapter 3 Provisioning the VPN Before the end user can configure their IP phone using the application their system administrator must provide them with the required configuration provisioning files and the VPN Remote PC Application The system administrator can email t
9. A Dynamic NAT and dynamic PAT configuration Traffic generated on the LAN and destined to the WAN side requires the use of dynamic PAT This process allows applications on the private side to communicate with the public side and preserve stateful NAT or PAT sessions so that traffic returning from the public side is sent back to the device that initiated the communication on the private side To enable dynamic PAT set the Network Address Translation field to a value other than None Avaya Business Communications Manager 6 0 Configuration Remote Worker 44 Appendix A Sample lab set up for remote worker configuration Figure 12 Business Element Manager static PAT configuration I E WAN IP Address Assignment Get automatically from ISP Default Use fixed IP address My WANIP Address 47 135 151 202 My WAN IP Subnet Mask 255 255 254 0 Gateway IP Address 471351501 Network Address Translation Full Feature RIP Direction None RIP Version RIF 1 v Multicast None Windows Networking NetBIOS over TCP IP C Allow between WAN and LAN C Allow Trigger Dial Branch office tunnel configuration A branch office tunnel BOT allows two branches to securely communicate over an encrypted IPSec tunnel In this example IKE is chosen as the key exchange protocol and the negotiation mode is set to Main Note The selected negotiation mode Main must ma
10. AT only specific traffic is redirected to and from the BCM The minimum static PAT configuration consists of translating the IP address of UDP traffic within the range of 7000 to 7002 to and from the public IP address 155 3 2 1 of the router and the private address 192 168 0 2 of the BCM The private address 192 168 0 2 of the BCM allows VoIP signaling from a remote IP set on the public network to reach the IP server on the BCM In addition for VoIP media to pass between the BCM and the remote IP set you must configure static PAT to translate the range of realtime transfer protocol RTP and RTCP ports configured in the Business Element Manager for remote worker The default range for UDP ports is 30000 to 30099 for BCM50 and 30000 to 30999 for BCM450 When a firewall is required on the router the firewall must at least permit the signaling traffic for IP sets and the associated media traffic for the remote worker IP set range to flow between the public network and the BCM on the private network NN40171 505 33 Chapter 5 Configuring the remote worker feature Complete the following procedures to configure the remote worker feature on the Avaya Business Communications Manager BCM to allow IP sets on the public network or on a private network behind a home router to access the secure router and connect with the BCM You must purchase and install a remote worker keycode to enable this feature For more information about obt
11. AVAYA Configuration Remote Worker Avaya Business Communications Manager Release 6 0 Document Status Standard Document Number NN40171 505 Document Version 01 04 Date October 2010 AVAYA 2010 Avaya Inc All Rights Reserved Notices While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing Avaya assumes no liability for any errors Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes Documentation disclaimer Avaya shall not be responsible for any modifications additions or deletions to the original published version of this documentation unless such modifications additions or deletions were performed by Avaya End User agree to indemnify and hold harmless Avaya Avaya s agents servants and employees against all claims lawsuits demands and judgments arising out of or in connection with subsequent modifications additions or deletions to this documentation to the extent made by End User Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation s provided by Avaya Avaya is not responsible for the accuracy of any information statement or content provided on these sites and does not necessarily endorse the products services or inform
12. All traffic flowing from LAN to WAN is permitted The remote worker feature requires at a minimum the following rules e UNIStim signaling UDP ports 7000 7002 e RTP RTCP media UDP ports 30000 30099 Optional BCM applications and VoIP protocols require the following rules e Business Element Manager TCP port 5989 NN40171 505 Appendix A Sample lab set up for remote worker configuration 51 e SSH TCP port 22 e SIP UDP port 5060 e HTTP TCP port 80 e HTTPS TCP port 443 e BCM Monitor TCP port 60001 Optional telnet and ping support require the following rules e TELNET TCP port 23 e ICMP ping protocol 1 Static NAT and static PAT configuration Traffic coming from the WAN side is translated and redirected to the customer LAN IP address of the BCM This process is called static NAT When a PAT rule is configured that rule takes priority over static NAT PAT rules are used to redirect traffic to a server IP address other than the default NAT IP address on the LAN side based on a port number or range of port numbers Dynamic NAT and dynamic PAT configuration Traffic generated on the LAN side and destined to the WAN side requires the use of dynamic PAT This process allows applications on the private side to communicate with the public side and preserves stateful NAT or PAT sessions so that traffic returning from the public side is sent back to the device that initiated the communication on the private side Rou
13. D THE ENTITY FOR WHOM YOU ARE INSTALLING DOWNLOADING OR USING THE SOFTWARE HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU AND END USER AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC OR THE APPLICABLE AVAYA AFFILIATE AVAYA Copyright Except where expressly stated otherwise no use should be made of the Documentation s and Product s provided by Avaya All content in this documentation s and the product s provided by Avaya including the selection arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases You may not modify copy reproduce republish upload post transmit or distribute in any way any content in whole or in part including any code and software Unauthorized reproduction transmission dissemination storage and or use without the express written consent of Avaya can be a criminal as well as a civil offense under the applicable law Third Party Components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements Third Party Components which may contain terms that expand or limit rights to use certain portions of the Product Third Party Terms Information regarding distributed Linux OS source code for those Products that have distribute
14. IP set which registers locally with branch office NN40171 505 Appendix A Sample lab set up for remote worker configuration 39 Table 4 Remote worker network setup equipment requirements Name Model Description IP Set Q Avaya 1230 UNIStim IP set located behind a BCM50 integrated router which registers remotely with head office over a VPN client branch to branch connection LAB PC Windows XP Lab PC for miscellaneous use VoIP signaling and media information The following table provides information on NAT traversal and VoIP signaling and media requirements for each of the IP sets used in the sample network setup Table 5 IP set network requirements Encrypted VoIP NAT traversal signaling and Phone feature required media Comment IP SetA No No IP Set B Yes No BCM 6 0 The IP set indicates NO PORTS LEFT on the display without the NAT traversal feature BCM 5 0 Set registers with UTPS server but no media path is available without the NAT traversal feature IP Set C Yes No BCM 6 0 The IP set indicates NO PORTS LEFT on the display without the NAT traversal feature BCM 5 0 Set registers with UTPS server but no media path is available without the NAT traversal feature IP Set D Yes No BCM 6 0 The IP set indicates NO PORTS LEFT on the display without the NAT traversal feature BCM 5 0 Set registers with UTPS server but no media path is available witho
15. N tunnel terminates on the BCM50 integrated router If you use pre shared key PSK authentication user credentials are validated on the BCM50 integrated router If you use XAUTH authentication user credentials are validated on the BCM50 integrated router and on the Radius server which resides on the customer LAN You must install the VPN client for your version of Windows on your PC or laptop in order to utilize the VPN feature For more information about configuring VPN client termination on a BCM5S0 integrated router see the BCMS0 Integrated Router Configuration Guide for your BCM5S0 model For information about configuring VPN client termination on a VPN router or VPN gateway see the configuration guide for your model of VPN router or VPN gateway VPN access to the BCM Customer LAN consists of 3 separate networks e Home network The VPN user s home network located behind a router and connected through an Internet Service Provider ISP to the Internet e Public Internet Access to this network is provided by the ISP e BCM LAN The office LAN with the BCM providing telephony services The BCM LAN and the Home LAN network cannot be on the same LAN Most commercially available home routers and BCM systems share the same default subnet of 192 168 1 x Avaya recommends that the subnet on the BCM system be changed Figure 1 PSK authentication network diagram page 13 shows the VPN deployment model with a BCM50 system with an integrat
16. Network Configuration menu of the phone enter the name of a new zone for example vpn 3 Create a zone provisioning file for example vpn prv that contains the unique configuration attributes required for VPN 4 Reboot the phone The zone provisioning file downloads and the VPN configuration is installed After provisioning is complete the phone automatically reboots with VPN activated NN40171 505 Chapter 3 Provisioning the VPN 25 Manual configuration using the Network Configuration menu You can manually configure the IP phone for VPN anywhere except when X 509 authentication is used You must be familiar with the configuration interface of the phone before you try attempt manual configuration Use the Network Configuration screen on the phone to configure all VPN parameters By default VPN is set to be Auto provisioned To deselect auto provisioning press the Auto softkey Deselect the box beside VPN Press the Config softkey to return to the Network Configuration screen VPN parameters are located at the top of the Network Configuration screen and are now be enabled You can now enter all non certificate configuration parameters Remote provisioning using the remote PC application End users who use the VPN remote worker solution to connect to their corporate phone network can configure their IP phone for VPN in the home office environment using the VPN Remote PC Application Users can use this application to
17. TP 192 168 0 5 24 IP 192 168 0 6 24 TP 192 168 0 3 24 IP 192 168 0 4 24 SL 192 068 0 2 24 81 192 168 0 2 24 81 192 168 0 2 24 St 192 168 0 2 24 LAB PC packet sniffer MGT 192 168 0 70 24 RED LAN 47 135 150 70 23 OAM LAN 10 10 11 2 30 Unistim Set I IP 192 1680 21 24 S12192 168 0 20 7000 Avaya Business Communications Manager 6 0 Configuration Remote Worker 38 Appendix A Sample lab set up for remote worker configuration Equipment requirements The following table lists the equipment required for the network setup illustrated in Figure 8 Table 4 Remote worker network setup equipment requirements Name Model Description BCM50E 1 BCM450 1 Avaya BCM450 Main head office BCM450 system under test where few local and remote IP sets register BCM50E 2 Avaya BCM50E Remote branch office BCM50E The integrated router is configured to support IPSec BOT NAT and PAT Secure Router 1 Avaya SR1001 This router is configured to support NAT PAT and firewall This router sends public IP telephony traffic to BCM450 1 on the private side Secure Router 2 Avaya SR1002 This router is configured to support PAT The router can represent a remote branch without Avaya Business Communications Manager BCM or a home office Cisco 2800 Cisco 2800 This router is configured to support PAT The router can represent a remote branch without BCM or a home
18. VPN virtual private network WAN wide area network Symbols and text conventions These symbols are used to highlight critical information for the Product Name short system Caution Alerts you to conditions where you can damage the equipment Danger Alerts you to conditions where you can get an electrical shock improperly Note A Note alerts you to important information A Warning Alerts you to conditions where you can cause the system to fail or work Tip Alerts you to additional information that can help you perform a task NN40171 505 Chapter 1 Getting started with remote worker support 9 Security note Indicates a point of system security where a default should be changed or where the administrator needs to make a decision about the level of security required for the system Warning Alerts you to ground yourself with an antistatic grounding RA strap before performing the maintenance procedure P Warning Alerts you to remove the Product Name short main unit GD and expansion unit power cords from the ac outlet before performing any maintenance procedure These text conventions are used in this guide to indicate the information described Convention Description bold Courier Indicates command names and options and text that you need to enter text Example Use the info command Example Enter show ip alerts routes italic text Indic
19. ain Note The selected negotiation mode Main must match at both ends of the branch offices otherwise the VPN tunnel cannot be established Avaya Business Communications Manager 6 0 Configuration Remote Worker 50 Appendix A Sample lab set up for remote worker configuration Figure 18 Business Element Manager branch office tunnel configuration V Active NAT Traversal V Nailed Up Name TO_47_135_151_202 Key Management IKE x Negotiation Mode Man Encapsulation Mode Tunnel Available IP Policy P Private IP Address Local IP Address S SC CRemote IP Address Add Selected IP Policy et a Private IP Address LOCAL iP Address REMOte IP Address EOE 192 168 1 0 255 255 255 0 192 168 0 0 255 255 255 0 Authentication Method Pre Shared Key eeccccece Retype to Confirm ecccccece Certificate See My Certificates Local ID Type IP v Content 0 0 0 0 Peer ID Type IP v Content 0 0 0 0 My IP Address 472 135 152 201 Secure Gateway Address 47 135 151 202 ESP AH Encryption Algorithm DES N Authentication Algorithm Authentication Algorithm SHAI Advanced Router configuration for Secure Router 100x 1 Secure router 1 is configured with a firewall static NAT and PAT as well as dynamic NAT and PAT Firewall configuration The secure router is configured to permit some traffic from the WAN side ethernet 0 to the LAN ethernet 1 and block any other type of traffic coming from the WAN
20. aining and installing keycodes see Keycode Installation Guide NN40010 301 Before you configure the remote worker feature on the BCM you must configure the RTP over UDP port ranges on the secure router to allow the IP set signals and media to flow to the BCM and from the BCM to the remote IP sets Enabling the remote worker keycode Complete this procedure to enable the remote worker keycode and therefore to configure the remote worker feature 1 Purchase and install the remote worker keycode For more information about obtaining and installing keycodes see Keycode Installation Guide NN40010 301 2 Inthe Task Navigation Panel of the Business Element Manager go to Configuration gt System gt Keycodes In the Feature Licenses table click the remote worker keycode 4 Click Load Keycode File Avaya Business Communications Manager 6 0 Configuration Remote Worker 34 Chapter 5 Configuring the remote worker feature Configuring the public IP address You must configure the public IP address of the BCM on the secure router before you can enable the remote worker feature For more information about how to configure the public IP address of the BCM see Avaya Business Communications Manager 6 0 Configuration Telephony NN40010 502 Note If you do not properly configure the public IP address of the BCM when the remote worker feature check box is enabled the remote worker IP sets cannot register with the BCM an
21. anager 6 0 Configuration System NN40170 501 For more information about configuring VPN on the BCM50 integrated router see the BCM50 Integrated Router configuration guide for your system For more information about configuring your VPN router or VPN gateway see the configuration guide for your router or gateway Prerequisites e Ensure that you have an available IP client license for each IP set you want to use Procedure steps 1 Upload the configuration files to the BCM For information about managing configuration files see Avaya Business Communications Manager 6 0 Configuration System NN40170 501 2 On the user s PC run the IP VPN configuration tool to enable and setup the VPN connection on the IP set Once the VPN connection is established the configuration files license files and any firmware updates are automatically downloaded SRS type license file tokens SRS type license file tokens are service contract tokens that are verified based on the firmware build and warranty date of the client For IP clients there are two types of keycodes for this type of license file token an SRS based keycode and an expiry based keycode expires based on an expiry date associated with the keycode The licensing file generated by KRS can contain an SRS keycode which has contract expiry date The SRS type license file token is valid when either the client firmware build date or the warranty date within the contract date is specified
22. ates book titles plain Courier Indicates command syntax and system output for example prompts text and system messages Example Set Trap Monitor Filters FEATURE Indicates that you press the button with the coordinating icon on HOLD whichever set you are using RELEASE separator gt Shows menu paths Example Protocols gt IP identifies the IP option on the Protocols menu Related publications Related publications are listed below For more information about the Avaya Business Communications Manager 6 0 documentation suite see Documentation Roadmap NN40170 119 Avaya Business Communications Manager 6 0 Configuration Telephony NN40170 502 Avaya Business Communications Manager 6 0 Configuration Remote Worker 10 Chapter 1 Getting started with remote worker support NN40171 505 11 Chapter 2 Virtual private network configuration overview The virtual private network VPN feature provides VPN client capability to the following IP sets e Avaya 1120E IP Deskphone e Avaya 1140E IP Deskphone e Avaya 1150E IP Deskphone For more information about configuring your IP set for VPN see the Avaya IP Deskphone configuration guide for your model of IP set Navigation e Network configuration page 11 e VPN configurations support page 14 e Remote worker configuration when branch tunnels are used page 15 e Security credentials page 16 e VPN Security banner
23. ation described or offered within them Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages Warranty Avaya provides a limited warranty on this product Refer to your sales agreement to establish the terms of the limited warranty In addition Avaya s standard warranty language as well as information regarding support for this product while under warranty is available to Avaya customers and other parties through the Avaya Support Web site http www avaya com support Please note that if you acquired the product from an authorized reseller the warranty is provided to you by said reseller and not by Avaya Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE HTTP SUPPORT AVAYA COM LICENSEINFO ARE APPLICABLE TO ANYONE WHO DOWNLOADS USES AND OR INSTALLS AVAYA SOFTWARE PURCHASED FROM AVAYA INC ANY AVAYA AFFILIATE OR AN AUTHORIZED AVAYA RESELLER AS APPLICABLE UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE BY INSTALLING DOWNLOADING OR USING THE SOFTWARE OR AUTHORIZING OTHERS TO DO SO YOU ON BEHALF OF YOURSELF AN
24. d can be provisioned in the configuration menu or through a configuration file You can configure the VPN server to provide a configuration message to instruct the set not to save the password locally The server configuration takes precedence over a provisioned password The XAUTH User ID and Password is remembered temporarily to allow graceful to the VPN server due to temporary network interruptions These re connections to the VPN server do not prompt the end user to enter the credentials However if the IP set powers down and powers up then the user is prompted for credentials when the call server policy dictates the password is not allowed to be saved locally Note X 509 certificate credentials are always handled by the VPN router The user is not prompted to enter a user ID or password e Main Mode X 509 root certificate device certificate Root certificate is the customers root certificate and is installed as part of the configuration file or as part of the SCEP process Device certificate is assigned specifically to the set It is installed using the SCEP process when the set is configured prior to the installation process If the set is configured using the peer to Peer configuration process the device certificate is installed directly from the associated PC VPN Security banner The VPN Security Banner presents security information provided by the VPN gateway on the set display The banner displays when the set establishes
25. d show the error message SERVER NO PORTS LEFT In the Task Navigation panel of the Business Element Manager go to Configuration gt System gt IP Subsystem gt General Settings In the Public Network area of the General Settings tab click Modify The Modify Public Network IP dialog appears In the Modify Public Network IP dialog type the appropriate values in the Provisioned Public Address field Optionally you can also configure the following fields e Discovered Public Address e Provisioned Public Port 4 Click OK Enabling the remote worker feature You must configure the public IP address of the BCM on the secure router before you can enable the remote worker feature Complete this procedure to enable the remote worker feature Security note When you enable the Support Remote Worker features any IP set can potentially register with your system To prevent unauthorized IP sets from registering with your BCM system change the default IP set registration password and the default Telset administration password before you enable the feature When no new IP sets must be registered it is recommended that you deselect the Enable Registration option In the Task Navigation Panel of the Business Element Manager go to Configuration gt Resources gt Telephony Resources In the Telephony Resources table in the Configured Device column click IP Sets The Details for Module pane appears below the Telephony Res
26. d the Linux OS source code and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site http support avaya com Copyright Trademarks The trademarks logos and service marks Marks displayed in this site the documentation s and product s provided by Avaya are the registered or unregistered Marks of Avaya its affiliates or other third parties Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark Nothing contained in this site the documentation s and product s should be construed as granting by implication estoppel or otherwise any license or right in and to the Marks without the express written permission of Avaya or the applicable third party Avaya is a registered trademark of Avaya Inc All non Avaya trademarks are the property of their respective owners Downloading documents For the most current versions of documentation see the Avaya Support Web site http www avaya com support Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product The support telephone number is 1 800 242 2121 in the United States For additional support telephone numbers see the Avaya Web site http www avaya com support Contents 3 Contents COMENS ciccsccdiee ccs endedrneins en debs nnenk en sede eens
27. des a description of the credentials PSK user ID and password The IP set uses PSK to authenticate itself to the VPN router also known as Group ID and Group Password You can provision PSK in the configuration menu or through a configuration file The PSK user ID and password is a maximum of 20 alphanumeric characters You can configure the user ID manually or you can pre configure the user ID using the configuration file If you save the PSK user ID you do not have to reenter it when you want to use it You can configure the password manually or pre configure the password using the configuration file Optionally you can leave the password blank If you configure the password you do not have to reenter it when you use it If you do not configure the password you are prompted to enter it each time it is required You can configure the VPN server to provide a policy message to instruct the set not to save the password locally The server policy takes precedence over the password saved in the IP set Note The XAUTH password is saved locally to the IP set until the IP set successfully connects to the VPN server for the first time The VPN server policy then takes precedence NN40171 505 Chapter 2 Virtual private network configuration overview 17 e XAUTH user ID and password The user ID and password is the end user password used with XAUTH protocol which authenticates the user to the VPN router The User ID and Passwor
28. e and configuration files 18 PIePEQUISHGS 4 ccksca Geto ee he eee eRe RE We ROE Pde eee Yee Rees eN 19 PIOCGOUTS SIDS fous Gad eh Kis oS hse SS oA 44 Se OSES ERS Rees 19 SRS type license file tokens 0000 c cece eee 19 Licensing user imeat 2 50 cc cee cower ee eee eS EERE de OEE ORR 19 NOW CHES cities Reesor Wes were eds SA Lakehead weed bas 21 ia PSR MECN cnccee cr eteninide heparan ees Peake eea ess 21 Procedure SICDS 5 a54 4554 15 2644 wean Shs Odd 4 eed NSE TSE Res HERE 21 Speech path interruption during re key 0000 cece 21 Provisioning the VPNisciscctcctes i veenscdaeer deans eens i neanies 23 Coniguration parameleiS sso chigeeeau oe eesd aes pekeds oend 0700849 00 Es 23 Pre provisioning VPN within the corporate network before deployment 24 Manual configuration using the Network Configuration menu 4 25 Remote provisioning using the remote PC application 00 cena 25 Configuring the IP phone using the Remote PC Application 26 Avaya Business Communications Manager 6 0 Configuration Remote Worker 4 Contents Remote worker configuration overview 0 0 00 eee ee eee eee 29 Router configuration requirements 0 00 eee eee 31 Configuring the remote worker feature 00 eee eee eee eee 33 Enabling the remote worker keycode 00 0c e eee eee eee eee 33 Configuring the public IP address 2 2 cece iecenceet ieee ecae
29. e encryption and authentication algorithms Add an IP policy by specifying the IP address ranges of the local and remote hosts that use the tunnel Repeat these steps 1 through 7 at the other end of the branch Note Ifa VPN Client Termination is used on these sites you must include the client termination address range in the tunnel policies in order for the VPN clients to see the other site Avaya Business Communications Manager 6 0 Configuration Remote Worker 16 Chapter 2 Virtual private network configuration overview Security credentials The VPN feature requires different types of security credentials depending on the mode of authentication selected Security credentials are configured on the VPN router or VPN gateway by the administrator For more information about configuring security credentials see the configuration guide for your VPN router or VPN gateway The following table shows which credentials are required for each mode Table 3 Security credentials required for each authentication mode Mode Credentials Aggressive Mode with PSK user ID and password Authentication PSK XAUTH disabled Aggressive Mode with PSK user ID and Password Authentications PSK and XAUTH user ID and XAUTH XAUTH enabled password Main Mode X 509 certificates Root certificate device no XAUTH certificate Not applicable if the BCM is used to terminate the tunnel The following list provi
30. ed router using PSK authentication Figure 2 XAUTH authentication network diagram page 13 shows the VPN deployment model with a BCM50 system with an integrated router using XAUTH authentication NN40171 505 Chapter 2 Virtual private network configuration overview 13 Figure 1 PSK authentication network diagram VPN Tunnel 172 16 2 50 172 16 1 1 Internet Customer LAN VPN Tunnel 192 168 1 164 address assigned to the home phone Statically or by Home Router 192 168 1 165 address assigned to the home PC Statically or by Home Router 192 168 1 1 Local Interface Home Router Address 65 100 10 50 Public interface for home router Assigned by ISP 68 100 10 51 Public interface address on BCM router Assigned by ISP 172 16 1 1 Private customer address of BCM Router 172 16 1 2 Private customer address of BCM 172 16 2 50 Address assigned to the home phone by BCM Client termination 172 16 2 51 Address assigned to home PC by BCM Client termination 172 16 2 50 172 16 2 100 address pool to assign to VPN IP CLients Figure 2 XAUTH authentication network diagram VPN Tunnel 16 2 5 172 16 2 50 172 16 1 1 VPN Tunnel 192 168 1 164 address assigned to the home phone Statically or by Home Router 192 168 1 165 address assigned to the home PC Statically or by Home Router 192 168 1 1 Local Interface Home Router Address 65 100 10 50 Public interface for home router Assi
31. en and with Auto Provisioning configuration parameters Configuration parameter Default value Provisioning parameter Provisioning values VPN Server 2 lt Empty gt vpns2 lt string gt IP address or FQDN see Note VPN DSCP False 0 vpndiffcny y Copy DSCP from original packet n Use vpndiff value 0 vpndiff 0 255 MOTD Timer 30 seconds vpnmotd 0 999 Local DNS lt Empty gt N A N A Note You can specify the configured VPN routers as either an FQDN or as an IP Address Any combination of FQDN or IP Address between VPN Server 1 and VPN Server 2 is permitted If you choose to enter an FQDN the user s local network must have access to DNS to resolve the entered name Typically in a home office environment this is the DNS server associated with the user s Internet connection Pre provisioning VPN within the corporate network before deployment In the corporate network you can use an existing provisioning server to configure a phone for VPN before deploying the phone to the remote worker The following describe the high level steps of pre provisioning VPN on an IP phone when you are working within the corporate network 1 Ifa zone has been defined on the phone you must add the following line to the system prv file This forces the phone to download a zone provisioning file file z Note If no zone has been defined on the phone adding this line has no effect 2 Inthe
32. ftkey The IP set reboots and attempts to re establish the VPN tunnel If the VPN tunnel is not established contact your system administrator to verify that the PSK userID is correct Speech path interruption during re key During the VPN tunnel re key there can be a small 1 second speech path interruption on active calls or at the dial tone This is caused by a delay in the VPN gateway response to the re key sequence After the initial interruption the set operates normally The re key timer is configurable on the VPN router or VPN gateway with a default of 8 hours Setting this timer to a larger value reduces the occurrence of this issue For more information about setting the re key timer see the configuration guide for your VPN router or VPN gateway Avaya Business Communications Manager 6 0 Configuration Remote Worker 22 Chapter 2 Virtual private network configuration overview NN40171 505 23 Chapter 3 Provisioning the VPN There are three options for configuring a phone for virtual private network VPN The method you choose can depend on whether or not the phone must be provisioned before deployment to the home user e Pre provisioning VPN within the corporate network before deployment e Manual configuration using the Network Configuration menu e Remote provisioning using the remote PC application For procedures on how to configure the VPN and the IP phone before deployment to the remote worker
33. gned by ISP 68 100 10 51 Public interface address on BCM router Assigned by ISP 172 16 1 1 Private customer address of BCM Router 172 16 1 2 Private customer address of BCM 172 16 1 200 Radius server in Private customer LAN 172 16 2 50 Address assigned to the home phone by BCM Client termination 172 16 2 51 Address assigned to home PC by BCM Client termination 172 16 2 50 172 16 2 100 address pool to assign to VPN IP CLients Avaya Business Communications Manager 6 0 Configuration Remote Worker 14 Chapter 2 Virtual private network configuration overview If you have a BCM450 system or a BCM50 system that does not include an integrated router you can use a VPN router or VPN gateway In this case place the VPN router or gateway on the edge of your network The VPN tunnel from the set terminates on the VPN router or gateway and the set registers to the call server on the BCM50 or BCM450 system This configuration is used when you have a large number of VPN users set or CVC Figure 3 VPN router gateway and BCM call server network diagram page 14 shows a configuration of a network using a VPN router or gateway and a BCM call server Figure 3 VPN router gateway and BCM call server network diagram 192 163 1164 192 168 1165 192 168 1 1 65 100 10 50 68 100 10 51 172 16 1 1 172 16 1 2 472 16 1 200 172 16 1 50 172 16 1 51 address assigned to the home phone address assigned to the h
34. he zipped files and the application to the end user for installation on their home PC For phones with UNIStim 4 software pre installed the user completes the following set up steps 1 2 3 4 Launch the VPN Remote PC Application Select the zip file sent to them by their system administrator Press a short key sequence on the phone Click a button in the VPN Remote PC Application to start configuration Configuring the IP phone using the Remote PC Application N OA 11 12 13 Launch the Remote PC Application In the Welcome and Language Selection screen select your language preference from the drop down list Click Next In the Equipment Setup and VPN screen mouse over the network diagrams to ensure your cable connections are correct between your home router PC and IP phone Click More for additional information about VPN before disconnecting Click OK Click Next In the Select Data Files screen click Browse to navigate to the folder where your configuration files are stored Click Next In the Prepare Phone for Configuration screen press the key sequence indicated in the Wizard screen to put the phone into Listening Mode Click Yes to confirm the phone is in Listening Mode Click No if the phone is not in Listening Mode If your phone is not in Listening Mode you must manually prepare the phone to be configured Follow the instructions provided in the Wizard to reboot the phone navigate to the
35. ing Trigger Port Default Server 192 168 1 2 Active Name Server IP Address ike soo 5o 192 168 1 1 Dynamic NAT and dynamic PAT configuration Traffic generated on the LAN side and destined to the WAN side requires the use of dynamic PAT This process allows applications on the private side to communicate with the public side and preserve stateful NAT or PAT sessions such that traffic returning from the public side is sent back to the device that initiated the communication on the private side To enable dynamic PAT set the Network Address Translation field to a value other than None NN40171 505 Appendix A Sample lab set up for remote worker configuration 49 Figure 17 Business Element Manager dynamic NAT and PAT configuration SES Ea eee WAN IP Address Assignment Get automatically from ISP Default Use fixed IP address My WAN IP Address 47 135 152 20 My WAN IP Subnet Mask 255 255 255 0 Gateway IP Address 47 135 152 1 Network Address Translation Full Feature w RIP Direction None a RIP Version RIP Multicast None v Windows Networking NetBIOS over TCP IP C Allow between WAN and LAN CI Allow Trigger Dial Branch office tunnel configuration A branch office tunnel BOT allows two branches to securely communicate over an encrypted IPSec tunnel In this example IKE is chosen as the key exchange protocol and the negotiation mode is set to M
36. io 1 Two private IP sets reside on the same private LAN where the BCM is located The media path is optimized in such a way that the two IP sets send RTP RTCP streams directly to one another Scenario 2 Two private IP sets reside behind the same home router and remotely register with the same BCM The media path is optimized in such a way that the two IP sets send RTP RTCP streams directly to one another Scenario 3 A private IP set resides on the private LAN where the BCM is located The first IP set calls another IP set that is on the public side or behind a remote home router The media path is anchored on the BCM in such a way that the media path is relayed by the BCM itself Scenario 4 A public IP set calls another IP set that is on the public side The media path is optimized for a public to public path Scenario 5 A public IP set calls another IP set that is behind a remote home router The media path is anchored on the BCM in such a way that the media path is relayed by the BCM Scenario 6 Two IP sets each that reside behind separate home routers call one another The media path is anchored on the BCM in such a way that the media path is relayed by the BCM itself Warning You must ensure that the remote terminal is not configured with both l i the BCM public IP address and the published IP address for example S1 BCM public IP address while S2 BCM published IP address NN40171 505 Chapter 4 Remote worker configurat
37. ion overview 31 Figure 7 Network diagram of remote worker feature Private IP 192 168 1 4 1 155 3 2 1 7000 1 155 3 2 1 7000 Private Network Public Network IP 210 x x x Public Network S1 155 3 2 1 7000 a eee Secure Router 100x NATL Private Network Public IP 155 3 2 1 Private IP 192 168 0 1 Port Forward Unistim 7000 RTP to 192 168 0 20 BCM Private IP 192 168 0 100 S1 192 168 0 20 Private IP 192 168 0 101 P IP 192 168 0 2 rvate Pe 192 168 0 20 S1 192 168 0 20 Optimized media path Media path anchored on BCM Router configuration requirements At a minimum you must configure the secure router to do static network address translation NAT of all the public traffic to the BCM on the LAN side and the other way around In the example shown in Figure 1 traffic from the public network destined to IP address 155 3 2 1 on the router is translated through NAT to the destination IP address 192 168 0 1 on the private network so that it can reach the BCM The reverse mapping is also done when the BCM sends traffic from the private network to the public network through the secure router Avaya Business Communications Manager 6 0 Configuration Remote Worker 32 Chapter 4 Remote worker configuration overview Alternatively you can configure the secure router for static port address translation PAT This is also known as port forwarding When you configure the secure router for P
38. irection are displayed in the summary table below Action for packets that don t match firewall rules Block Forward Log Eg that don t match these rules Se Active Any Any BOOTP_CLIENT UDP 68 New Rule Before 1 Rule Number IKE UDP 500 Selected Rule select an Index Number To 1 Rule Number Selected Rule Selecied Rule Static NAT and static PAT configuration Traffic coming from the WAN side that is allowed through the firewall is translated and redirected to the customer LAN IP address of the BCM This process is called static NAT You configure static NAT by setting the default SUA NAT server to the internal customer LAN IP address of the BCMSOE When a more specific SUA NAT rule is configured that rule takes priority over static NAT The process by which more specific rules can redirect traffic to a server IP address on the LAN side based on a port address or range of ports is call static PAT NN40171 505 Appendix A Sample lab set up for remote worker configuration 43 Figure 11 Business Element Manager static NAT and static PAT configuration panel SUA Server _ Adir Mapping Trigger Port Default Server 192 168 0 2 mn a E a A f ews Ea ike nattrav nattrav 4000 4000 192 168 0 1 S 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Reo 0 0 0 0 0 0 moo a 7 mo O 0 0 0 0 00 fo 0 00 00 10 0 0 0 0 0 0 0 0 0 0 0 0
39. itionally Avaya 1120e IP Deskphones and Avaya 1140e IP Deskphones can establish an encrypted VPN tunnel to a VPN server The VPN tunnel carries all set related traffic enabling you to use your set remotely In order to enable the VPN feature an administrator must first prepare the configuration files and obtain the license files for the IP sets and upload it to the BCM system The administrator specifies the BCM as an HTTP server in the configuration files After the VPN feature is enabled on the set and establishes a VPN tunnel the model configuration file for example 1140e cfg and license file are downloaded from the BCM giving the user full use of the VPN connection This feature is compatible with PSK and dual factor authentication methods NN40171 505 Chapter 2 Virtual private network configuration overview 19 Every time the set reboots it connects with the BCM to read the configuration files and download the firmware or license file if necessary The configuration files stored on the BCM are backed up with the data from IP Telephony The Delete All button in the Business Element Manager removes all IP set configuration files uploaded if the administrator wants to remove this functionality from the BCM The initial configuration files for the Avaya 1100 Series IP Deskphones can be downloaded from http www avaya com support For information about setting up a BCM system as an HTTP server see Avaya Business Communications M
40. mote worker feature NN40171 505 37 Appendix A Sample lab set up for remote worker configuration This appendix provides details on lab requirements for creating a network that uses and supports remote worker configuration Figure 8 shows the sample lab setup Figure 8 Remote worker network setup l l l l Desk 1 I BDN 1 I a Cisco 2800 I Secure Router 100x 2 ge 0 0 47 135 150 67 23 fed 47 135 150 65 23 PRIVATE SIDE g PRIVATE SIDE Remote worker Remote worker ge 0 1 192 168 0 1 24 fell 192 168 2 1 24 PUBLIC SIDE f Unistim Set K IP 47 135 152 13 24 81 47 135 151 202 7000 RED LAN 41 135 150 0 23 IPSEC C lien icra unnel IPSEC Branch 0 ffice Tunnel PUBLIC SIDE N bS PRIVATE SIDE RED LAN 47 135 152 0 24 PRIVATE SIDE I REMOTE BRANCH I HEAD OFFICE I BCM SOE 1 Secure Router 100x 1 WCM SOE Aar I Feld 47 135 151 204 23 WAN 47 195 151 202 23 WAN 47 135 152 201 24 I fell 192 168 0 10 24 LAN 192 168 0 2 24 LAN 192 168 1 2 24 SSS EN I I I HEAD OFFICE a l LOCAL LAN I 192 168 0 0 24 Unistim Set J Unistim Set Q IP 519216813124 pe 192168 0 4 24 I TDM SetG 1 192 168 1 2 7000 S12192 168 0 2 7000 l I Desk 2 Desk 2 DN 225 4 mye IBDN 2 I BCM 450 1 ALPHA 56 I LAN 192 168 0 20 AN A AW I Unistim Set 0 Unistim Set P Unistim Set A Unistim Set F I l
41. ndicates this and shows the warranty date of the license token the firmware build and the warranty date of the firmware build Figure 6 Node locked mode licensing SRS based license token License Mode Node Locked Status Active License Type Standard License Warranty 2009 12 31 F Build Date 2009 03 31 FW Warranty Date 2009 03 31 2 Tokens Allocated 1 3 Tokens Remaining 2 4 Licensed Features 2 SCR 3 Party 1 VPN Ofdisabled The licence information screen also provides information on the number of tokens allocated and remaining to be used as well as the number of licensed features available NN40171 505 Chapter 2 Virtual private network configuration overview 21 Known issues This section describes know issues and possible solutions for the VPN feature Invalid PSK userID If the VPN tunnel terminates on a BCM50 integrated router and the PSK userID is incorrect the tunnel does not establish and the system does not prompt to re enter your credentials In this case the PSK userID must be corrected manually This limitation applies to PSK and XAUTH authentication methods Use the following procedure to manually re enter your PSK credentials Procedure steps On the IP set press Services twice Select option 3 Press the right arrow key to scroll through the options and select PSK UserID Press Enter to edit the field Re enter your PSK userID followed by Enter oar QO N Press the Apply so
42. office IP SetA Avaya 1230 UNIStim IP set which registers locally with head office IP Set B Avaya 1230 UNIStim IP set located behind a router which registers remotely with head office IP Set C Avaya 1230 UNIStim IP set located behind a router which registers remotely with head office IP Set D Avaya 1140E UNIStim IP set located behind a router which registers remotely with head office IP SetE Avaya 1230 UNIStim IP set located directly on the public network which registers remotely with head office IP Set F Avaya 1230 UNIStim IP set which registers locally with head office TDM Set G Avaya 7316E TDM set directly connected to head office TDM Set H Avaya 7316E TDM set directly connected to head office IP Set Avaya 1230 UNIStim IP set which registers locally with head office IP Set J Avaya 1230 UNIStim IP set which registers locally with branch office IP Set K Avaya 1230 UNIStim IP set located directly on the public network which registers remotely with head office IP Set L Avaya 1230 UNIStim IP set located behind a router which registers remotely with head office IP SetM Avaya 1140E UNIStim v4 IP set located behind a router which registers remotely with head office over a VPN client termination connection IP Set N Avaya 1140E UNIStim IP set located directly on the public network which registers remotely with head office IP Set O Avaya 1230 UNIStim IP set which registers locally with branch office IP Set P Avaya 1230 UNIStim
43. ome PC Local Interface Hame Rauter Address VPN Tunnel scaly Statically or by Home Router or by Home Router Public interface far home router Assigned by ISP Public interface address on Avaya VPN Gateway Router Assigned by ISP Customer Network LAN address on Avaya VPN Router Gateway Private customer sddress of BCM Call Server Address Radius server in Private customer LAN Address assigned to the home phone by BOM Client termination Address assigned to home PC by BCM Cliem termination 172 16 1 40 172 16 1 100 acdiress pool to assign to VPN IP Clients VPN configurations support BCM450 Call Server Customer LAN vaya VPN Reway Rourer The following table shows valid VPN configuration parameters for IP sets BCM supports router or VPN gateway Aggressive mode when you use a VPN Table 2 Supported configurations Aggressive mode PSK Aggressive mode PSK VPN parameter with no XAUTH with XAUTH Main mode X 509 with no XAUTH Protocol VPN router gateway VPN router gateway VPN router gateway Mode Aggressive Aggressive Main Authentication PSK PSK X 509 PSK UserID lt user_ID gt lt user_ID gt N A NN40171 505 Chapter 2 Virtual private network configuration overview 15 Table 2 Supported configurations Aggressive mode PSK Aggressive mode PSK VPN parameter with no XAUTH with XAUTH Main mode X 509 with no XAUTH
44. omer Service NN40171 505 Chapter 1 Getting started with remote worker support This section contains information on the following topics About remote worker support on page 7 Audience on page 7 Acronyms on page 8 Symbols and text conventions on page 8 Related publications on page 9 About remote worker support Avaya Business Communications Manager 6 0 BCM 6 0 includes new options for remote worker support You can connect your Avaya 1100 Series IP Deskphone to the Avaya BCM through a secure VPN tunnel or by using the new remote worker feature Using the remote worker feature you can use the BCM system as an HTTP server allowing you to distribute configuration files license files and firmware to IP clients This guide includes an appendix which provides details on a sample network setup that supports remote workers Audience This guide is intended for administrators who want to configure the BCM for remote worker support Avaya Business Communications Manager 6 0 Configuration Remote Worker 8 Chapter 1 Getting started with remote worker support Acronyms This guide uses the following acronyms BOT branch office tunnel HTTP hypertext transfer protocol IP internet protocol LAN local area network NAT network address translation PAT port address translation PSK pre shared key RTCP realtime control protocol RTP realtime transfer protocol UDP user data protocol
45. onfiguration The firewall protects against Denial of Service DoS attacks when it is enabled Note Browser window will need to he refreshed after enabling the firewall Enable Firewall O Bypass Triangle Route Firewall Rules Storage Space in Use oW o Packet Direction WAN to LAN v Configured rules for this packet direction are displayed in the summary table helow Action for packets that don t match firewall rules Block Forward Log packets that don t match these rules je status Source Address Destination Address Service Type Action oo Active Any Any Bl pisana No UDP 30000 30099 New Rule Before 1 Rule Number UTPS UDP 7000 7002 Selected Rule select an Index Number To 1 oe Selected Rule HTTP TCP 80 HTTPS TCP 443 ne eee SSH TCP UDP 22 sIP V2 UDP 5060 Avaya Business Communications Manager 6 0 Configuration Remote Worker 42 Appendix A Sample lab set up for remote worker configuration Figure 10 Business Element Manager firewall configuration panel IP Sec NAT configuration The firewall protects against Denial of Service DoS attacks when it is enabled Note Browser window will need to he refreshed after enabling the firewall Enable Firewall LI Bypass Triangle Route Firewall Rules Storage Space in Use 0 M Packet Direction WAN to WAN Business Secure Router Configured rules for this packet d
46. ons Manager 6 0 Configuration Remote Worker 46 Appendix A Sample lab set up for remote worker configuration Figure 14 Business Element Manager VPN client termination configuration None selected c NN40171 505 Appendix A Sample lab set up for remote worker configuration 47 Figure 15 Business Element Manager VPN client termination advanced configuration NAT Traversal Enabled C Disable Client IKE Source Port Switching UDP Port 4000 Router configuration for BCM50E 2 The integrated router on BCMSOE 2 is configured with static NAT and PAT as well as dynamic NAT and PAT The firewall is disabled Only IPSec BOT is used Static NAT and static PAT configuration Traffic coming from the WAN side is translated and redirected to the customer LAN IP address of the BCM This process is called static NAT and is configured by setting the default SUA NAT server the internal customer LAN IP address of the BCMS50E When a more specific SUA NAT rule is configured that rule takes priority over static NAT The process by which more specific rules can redirect traffic to a server IP address on the LAN side based on a port number or range of port numbers is call static PAT Avaya Business Communications Manager 6 0 Configuration Remote Worker 48 Appendix A Sample lab set up for remote worker configuration Figure 16 Business Element Manager static NAT and PAT configuration SUA Sewer Addr Mapp
47. ources table NN40171 505 Chapter 5 Configuring the remote worker feature 35 3 Inthe IP Terminal Global Settings tab select the Support Remote Worker checkbox Security note When you select the Support Remote Worker checkbox and enable the feature the following warning dialog appears xxkWARNING By enabling Support Remote Worker IP set registration is accessible from the Internet and therefore it is important to take actions to prevent unauthorized registration of IP sets Prior to enabling please ensure the following passwords are changed from system defaults to non trivial passwords IP set registration Global password Telset based administration Telset account password Best practice leave the Enable Registration option disabled when no new set registration is required KKK K K K K K K KK K K K K K K You must accept the warning message to ensure that the default telset and global IP set registration passwords are updated and to avoid unauthorized IP set registrations from the public network Note The Support Remote Worker checkbox is greyed out if you have not enabled the remote worker keycode 4 Ifany IP sets show the error message SERVER NO PORTS LEFT you must power cycle the affected IP sets to force them to register with the BCM The remote worker feature is enabled Avaya Business Communications Manager 6 0 Configuration Remote Worker 36 Chapter 5 Configuring the re
48. page 17 e Licensing page 17 e Using the BCM as an HTTP server for downloading license and configuration files page 18 e Known issues page 21 Network configuration The following table shows supported VPN routers Table 1 VPN routers Router Model Release VPN router 1750 2700 5000 Release 3 2 VPN gateway 3050 3070 Release 7 0 Avaya Business Avaya BCM50a ba BCM50e Release 6 0 Communications Manager 50 be CSC versions other than 1 BCM50 integrated router Note Your CSC version can be found in Business Element Manager at Administration gt Hardware Inventory gt Additional Information gt CSC Hardware version Avaya Business Communications Manager 6 0 Configuration Remote Worker 12 Chapter 2 Virtual private network configuration overview The VPN feature enables the set to establish an encrypted VPN tunnel from the set to a Avaya BCM 6 0 system When the tunnel is established the following IP set related traffic traverses the tunnel e UNIStim signaling e media e TFTP provisioning e HTTP provisioning All set related traffic must travel through a single tunnel For example it is not possible for some traffic to travel inside the tunnel and some traffic to travel outside the tunnel Traffic on the PC port of the set is always excluded from the VPN tunnel If you have a BCMS0 system with an integrated router BCM50a BCM50ba BCMS0e or BCM50be models the VP
49. phone installations where you do not want to manage a license server In this case the token license file created by KRS is keyed to a specific phone by using the MAC address of that phone The token license file is then loaded to the phone The license client does not attempt to access any license server and instead grants token requests to the phone application as long as the request does not exceed the number of tokens provided in the license file Downloading the licence file Complete this procedure to download a token license file for VPN access on IP phones 1 Configure the IP phone with a provisioning IP address so it can access a provisioning server 1 Enter the license file of the phone in the server The file format of the license file is lt ipctokenMAC cfg gt where MAC is the 12 character MAC address of the IP phone 2 Adda LICENSING section to the phone configuration file for example 1110 cfg 1120e cfg 1140e cfg 1150e cfg LICENSING VERSION version FILENAME X Y 3 Start the provisioning server so the phone can retrieve the cfg files when it boots When the phone retrieves the setting during boot up it downloads the licensing file renames the file as ipclient lic and then saves the file in the phone flash Using the BCM as an HTTP server for downloading license and configuration files You can use a BCM as an HTTP server to download the license and configuration files for an Avaya 1100 Series IP Deskphone Add
50. rvice This section explains how to get help for Avaya products and services Visit the Avaya Web site to access the complete range of services and support that Avaya provides Go to http www avaya com or go to one of the pages listed in the following sections Navigation e Getting technical documentation on page 5 e Getting product training on page 5 e Getting help from a distributor or reseller on page 5 e Getting technical support from the Avaya Web site on page 5 Getting technical documentation To download and print selected technical publications and release notes directly from the Internet go to http www avaya com support Getting product training Ongoing product training is available For more information or to register you can access the Web site at http www avaya com support From this Web site you can locate the Training contacts link on the left hand navigation pane Getting help from a distributor or reseller If you purchased a service contract for your Avaya product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance Getting technical support from the Avaya Web site The easiest and most effective way to get technical support for Avaya products is from the Avaya Technical Support Web site at http www avaya com support Avaya Business Communications Manager 6 0 Configuration Remote Worker 6 Cust
51. seenecewees 34 Enabling the remote worker feature 2 000 c eee ees 34 Sample lab set up for remote worker configuration 5 37 EQUIPMENT FeQUITSINGHS ca cocc see encaeintdeeewedoebnne ede ede ee ee 38 VoIP signaling and media information 00 c eee eee eee 39 Router configuration for BCM50E 1 2 eee 40 Firewall CONTIGUIALION ccc cccctce erie ence e es eH eee ts rer k asiad 40 Static NAT and static PAT configuration 0000 000 eee eee eee 42 Dynamic NAT and dynamic PAT configuration 0 0 eee eee 43 Branch office tunnel configuration s ssrsrsisiasissasrersisersas 44 VPN client termination configuration 0 2 2 0 0 eee 45 Router contiguration for BCOMS50E 2 icc cee cecenecedeeedews renee eebe cadens 47 Static NAT and static PAT configuration 00000 cece 47 Dynamic NAT and dynamic PAT configuration 0c eee eee 48 Branch office tunnel configuration 000 cee eee 49 Router configuration for Secure Router 100x 1 1 0 0 0 0 cee eee 50 Firewall con guUratOn onc oxanevdeesand eae eau diesen keue ane ame deeds 50 Static NAT and static PAT configuration 00000 0c cece eee eee 51 Dynamic NAT and dynamic PAT configuration 02 aeaa 51 Router configuration snapshot 0 eet eee 51 Router configuration for Secure Router 100X2 0 c eee eee 52 NN40171 505 Customer Se
52. so mean a branch router such as a router located at a business headquarters interacting with its remote branches The BCM is located behind a corporate router The BCM can be accessed from the public network using its public IP address and dedicated UNIStim signaling ports UNIStim signaling ports are 7000 to 7002 These ports are fixed on the BCM Open these ports at the corporate secure router After successful registration remote UNIStim users can access services in the same way as locally registered UNIStim users When you enable the remote worker keycode its scope is global As many remote worker IP sets can register as there are IP client seats available All media that involves remote UNIStim terminals is anchored at the BCM and relayed by BCM RTP relay sessions You can configure the BCM user data protocol UDP port range 30000 to 30xxx through the Business Element Manager for BCM RTP relay sessions for the remote worker media path On the corporate router open the UDP port ranges for UNIStim signaling and media and redirect this traffic through either static network address translation NAT or static port address translation PAT Note The media between two remote UNIStim terminals that are collocated behind the same home router and that do not have call recording turned on for calls are directly connected to each other and are not relayed through the BCM This is also true for IP sets collocated behind the same private corporate ne
53. tch at both ends of the gt branch offices otherwise the VPN tunnel cannot be established NN40171 505 Appendix A Sample lab set up for remote worker configuration 45 Figure 13 Business Element Manager branch office tunnel configuration Connection Type Branch Office Active V NAT Traversal Nailed Up Name TO_47_135_152_201 Key Management IKE Negotiation Mode Main v Encapsulation Mode Tunel Available IP Policy Selected IP Policy e aal a Private IP Address LOCAL IP Address Remote IP Address KIA N A 192 168 0 0 255 255 255 0 192 168 1 0 255 255 255 0 Authentication Method Pre Shared Key sccccocoo Retype to Confirm seccceces Certificate See My Certificates Local ID Type IP v Content 0 0 0 0 Peer ID Type IP v Content 0 0 0 0 My IP Address 47 135 151 202 Secure Gateway Address 47 135 152 201 ESP O AH Encryption Algorithm SDES_ Authentication Algorithm Authentication Algorithm SHAI Advanced Cancel VPN client termination configuration You can configure the BCM50E to let remote IP devices communicate with the BCM over an encrypted VPN tunnel In the lab setup IP set M is configured with VPN parameters so that userl can be authenticated followed by the establishment of a VPN tunnel The profile for user is designed to allocate IP address 192 168 3 200 to IP set M VPN client termination and branch office tunnel can be established independently Avaya Business Communicati
54. ter configuration snapshot The following code sample provides a view of the router configuration conf t hostname avaya_bcm450 telnet_server interface ethernet 0 ip address 47 135 151 204 255 255 254 0 nat enable static enable dynamic no reverse trans_addr 47 135 151 204 trans_mode overflow address 192 168 0 20 47 135 151 204 port tep 475 135 252 204 23 47 135 2154 204 23 exit 2 interface ethernet 1 ip address 192 168 0 10 255 255 255 0 exit 2 ip route 0 0 0 0 0 0 0 0 47 135 150 1 1 Avaya Business Communications Manager 6 0 Configuration Remote Worker 52 Appendix A Sample lab set up for remote worker configuration ip access list add permit tcp add permit tcp add permit tcp add permit tcp add permit tcp add permit tcp add permit tcp add permit udp add permit udp add permit udp bem _ lan any 47 135 151 204 dport 23 any any any any any any any any any 92 168 0 20 dport 22 92 168 0 20 dport 5989 92 168 0 20 dport 80 92 168 0 20 dport 443 92 168 0 20 dport 60001 92 168 0 20 dport 1222 92 168 0 20 dport 7000 7002 92 168 0 20 dport 30000 30099 92 168 0 20 dport 5060 add permit icmp any 192 168 0 0 24 exit access group ethernetO bcm_lan in exit 2 Router configuration for Secure Router 100x 2 The secure router in the context of a remote worker needs to enable dynamic NAT and PAT The firewall is
55. twork where the BCM resides or two IP sets collocated on the public network that do not have call recording turned on for calls Note When VPN is configured signaling and media traffic of remote workers is encrypted Unlike over a VPN when the remote worker feature is enable signaling and media traffic is not encrypted The following figure illustrates a sample network setup between a public network or private network behind home routers and the private corporate network where the BCM resides behind the corporate secure router Behind the corporate secure router the BCM is configured with the remote worker feature to allow a connection with the IP set to be established All IP sets on the public side and on the remote private side register with the BCM using the public IP address of the router UNIStim signaling is always exchanged through the BCM Avaya Business Communications Manager 6 0 Configuration Remote Worker 30 Chapter 4 Remote worker configuration overview For the media path there are five scenarios for intercom calls that is IP sets registered on the same BCM and calling each other The media path behavior falls in two categories 1 the media path is optimized so that IP sets send RTP RTCP real time control protocol streams directly to one another 2 the media path is anchored on the BCM so that it is relayed by the BCM itself using its public IP address in the configured range of 30000 30xxx Scenar
56. ut the NAT traversal feature IP SetE Yes No BCM 6 0 The IP set indicates NO PORTS LEFT on the display without the NAT traversal feature BCM 5 0 Set registers with UTPS server but no media path is available without the NAT traversal feature IP Set F No No TDM Set G No No TDM Set H No No IP Set No No IP Set J No No IP Set K Yes No BCM 6 0 The IP set indicates NO PORTS LEFT on the display without the NAT traversal feature BCM 5 0 Set registers with UTPS server but no media path is available without the NAT traversal feature Avaya Business Communications Manager 6 0 Configuration Remote Worker 40 Appendix A Sample lab set up for remote worker configuration Table 5 IP set network requirements Encrypted VoIP NAT traversal signaling and Phone feature required media Comment IP Set L Yes No BCM 6 0 The IP set indicates NO PORTS LEFT on the display without the NAT traversal feature BCM 5 0 Set registers with UTPS server but no media path is available without the NAT traversal feature IP Set M No Yes IPSec Client Termination to BCM50E 1 is used to encrypt IP Set N Yes No BCM 6 0 The IP set indicates NO PORTS LEFT on the display without the NAT traversal feature BCM 5 0 Set registers with UTPS server but no media path is available without the NAT traversal feature IP Set O No No IP Set P No No IP Set Q No Yes IPSec BOT between BCM50 1 and BCM50 2 are used to encr
57. ypt Router configuration for BCM50E 1 The integrated router on BCM50E 1 is configured with firewall static network address translation NAT and port address translation PAT as well as dynamic NAT and PAT This configuration uses both IPSec branch office tunnel BOT and VPN client termination Firewall configuration The integrated router is configured to permit some traffic from the WAN side to the router and to the LAN but block any other type of traffic coming from the WAN All traffic flowing from LAN to WAN is permitted The remote worker feature requires at a minimum the following rules e UNIStim signaling UDP ports 7000 7002 e RTP RTCP media UDP ports 30000 30099 IPSec BOT and client termination require the following rules e IKE UDP port 500 e IPSec ESP protocol 51 e IPSec NAT traversal UDP port 4000 Optional BCM applications and VoIP protocols require the following rules e Business Element Manager TCP port 5989 e SSH TCP port 22 e SIP UDP port 5060 NN40171 505 Appendix A Sample lab set up for remote worker configuration 41 e HTTP TCP port 80 e HTTPS TCP port 443 e BCM Monitor TCP port 60001 Optional BOOTP client and ping support require the following rules e ICMP ping protocol 1 e BOOTP client UDP port 68 Figure 9 and Figure 10 show the GUI panels where the firewall is configured Figure 9 Business Element Manager firewall configuration panel TCP c

Download Pdf Manuals

Related Search

Related Contents

Danby DPA120B3WDB User's Manual    Descrizione dell`apparecchio  MODE D`EMPLOI – LMA Flexible™  Modèle MESR rapport - Fête de la Science en Picardie  FICHA TÉCNICA OIL STOP    PXF N F 30 - Certificazione Energetica    Quick Reference Guide - HyundaiProductInformation.com  

Copyright © All rights reserved. Failed to retrieve file