AudioCodes SBC

Essentials & Configuration

Ofer Aharonov [email protected]

AudioCodes Academy
https://www.audiocodes.com/services-support/audiocodes-academy
Course Objectives

• After completing this course, you will be able to:

• Identify the AudioCodes products supporting the Session Border Controller (SBC) functionality
• Identify the functions of the SBC
• Understand how the SBC handles SIP messages
• Understand the reasons for Number and Message Manipulation
• Understand the Survivability concept
• Be familiar with the SBC Security features
• Configure the parameters required by the SBC
• Configure SBC Manipulation rules
• Configure the SBC for SIP Trunking
• Configure the SBC PSTN interface

2
Lessons & Course Timetable
Day 1
AudioCodes Introduction
AudioCodes Devices Management Interfaces
AudioCodes Documentation
Gateways and SBC Product Line
Hands-on Lab 1 – Management Interface Usage
Day 3
SBC Media Handling
Hands-on Lab 3 – SBC Transcoding
SBC Number & Message Manipulation
SBC Security
Hands-on Lab 4 – Header Manipulation

Day 2 Day 4
SBC Application Description Digital Gateways Basic Configuration
SBC Basic Terminology SBC Survivability
SBC Configuration SBC High Availability
Basic Debugging Tools Hands-on Lab 5 – SBC Survivability
SBC Wizard (optional) Certification Exam
Hands-on Lab 2 – SBC Routing
3
Lesson 1

AudioCodes Introduction
AudioCodes in a glance

• Market leader in VoIP networking products

• Recognized brand for quality & performance
• Deployed in over than 100 countries in service provider and enterprise networks
• Global partnerships with leading telecom players
• Large Fortune 100 install base
• 1000 employees worldwide, ~40% R&D
• More than 29 years of VoIP expertise
• Public since 1999 (NASDAQ:AUDC)

https://www.audiocodes.com/corporate/about-audiocodes
5
Global Presence and Support

• Worldwide presence:
• Headquarters: Israel
• North America: USA and Canada
• APAC: Singapore, China, Japan, India, Korea, Australia, Hong Kong, etc.
• EMEA: Germany, UK, France, Netherland, Russia, Italy, South Africa, Poland, Sweden, etc.
• CALA: Brazil, Mexico, Argentina, Colombia, etc.
• Global Distribution Network covering more than 100 countries
• Support Centers covering all time zones
• 3 Logistics Centers in North America, EMEA and APAC

6
Broadest Portfolio of Products

Management/Apps
Routing Manager OVOC UMP Apps

Room Solutions
& IP Phones All-In-One
405 445 450/C450 470 Video Collaboration Bar Personal Webcam UC-HRS Speakers Conference Phone

Virtual & Cloud SBC

Mediant VE (Virtual Edition) Mediant CE (Cloud Edition)

Pure SBC
Mediant 2600/B Mediant 4000/B Mediant 90xx Mediant SE Software Edition

Hybrid SBC/Gateway
Mediant 500/L Mediant 800B/C Mediant 1000B Mediant 3100

Gateways/Adaptors
MP-2xx MP-1xx MP-124 MP1288
7
The Voice Experts @ Your Service

Network Voice Project Planning & Site Survey, AudioCodes

Readiness Management Design Installation & Academy
Assessments Design
Implementation
Implement

Test

5 10 20 25 30 35

24x7 Technical Hardware Local Technician Software Remote

Support Replacement Dispatch Upgrades Monitoring
12

9 3

12
End to End 9 3
Managed Services 6

8
Operational Services – ACTS & CHAMPS

• Two types:
• ACTS: Direct Support
• Tier 2-4
• 9x5 or 24x7
• CHAMPS: Back-to-Back Support
• Tier 3-4
• 9x5 or 24x7

• Not including installation, configuration, and provisioning (which can be purchased separately)
• Support available after AudioCodes products are implemented and in service
• Support is provided based on serial number entitlement check Extended Hardware Warranty
(RMA) included
• Software Maintenance and all S/W upgrades, patches, maintenance releases and major
version releases
• Certificate of Eligibility issued with each purchase

9
Technical Training – Certification Levels

• ACA – AudioCodes Certified Associate

• Basic level certification
• Required for the installation and maintenance of AudioCodes devices

• ACP – AudioCodes Certified Professional

• Advanced level certification
• Required for the installation, maintenance and advanced troubleshooting
of all AudioCodes networking products in advanced customer scenarios
• Prerequisite: ACA certification and 6 months of field experience as ACA

* Certificates are valid for two years

10
Technical Training – Career Certifications
• Record of Participation courses:
• AudioCodes Routing Manager (ARM)
• AudioCodes One Voice Operation Center (OVOC)
• VoIP and SIP Fundamentals
• AudioCodes SBC: Fundamentals
Participation
• ACA courses:
• AudioCodes SBC: Essentials & Configuration
• AudioCodes SBC in Microsoft Teams Environment: Essentials & Configuration
• AudioCodes Enterprise GW: Essentials & Configuration
• AudioCodes SBC Testing & Troubleshooting

• ACP courses:
• AudioCodes SBC: Advanced Interworking & Security
• AudioCodes SBC: Advanced Routing & Multitenancy
• AudioCodes SBC in Microsoft Teams Environment: Advanced
11
AudioCodes Website

https://www.audiocodes.com 12
Lesson 2

AudioCodes Devices Management Interfaces

Objectives

• After completing this lesson, you will:

• Be familiar with the AudioCodes GUI
• Know how to assign IP Networking parameters
• Be familiar with the Maintenance Interface
• Understand ini file structure
• Know how to upgrade/downgrade firmware
• Know how to update the License Key

14
Management and Maintenance Options
Embedded Web Server Command Line Interface (CLI)

Configuration file REST-based programs

referred to as the ini file (such as AudioCodes’ OVOC)

15
Assigning Networking Parameters

• HTTP using Web browser

• Console/CLI
• DHCP
• BootP

16
Default Factory IP Address
Product Default
MP-11x FXS and FXS/FXO devices – 10.1.10.10/16
MP-124 FXO devices – 10.1.10.11/16
MP-1288
Mediant 500/L/Li E-SBC
Mediant 800B/C E-SBC
Mediant 1000B E-SBC
Mediant 2600 SBC 192.168.0.2/24
Mediant 3100 SBC
Mediant 4000/B SBC
Mediant 9030/9080 SBC
Software SBC (Mediant SE/VE/CE)

Mediant 500/L/Li MSBR LAN – 192.168.0.1/24 (DHCP Server enable)

Mediant 800 MSBR WAN – DHCP Client

17
Assigning IP Address – HTTP

• Disconnect the SBC from the network and connect it to a PC

• Change the PC’s IP address and subnet mask to correspond with the SBC's factory default
networking parameters
• Open a Web browser and access SBC Web interface
• Browser to the IP NETWORK >> CORE ENTITIES >> IP Interfaces web page
• Change the networking parameters
• Reconnect the SBC and your PC to the network
• Restore your PC’s IP address and subnet mask to their original settings
• Reconnect to the SBC Web browser and save the configuration to the flash

192.168.0.2 /24

192.168.0.7 /24

18
Assigning IP Address – HTTP

19
Assigning IP Address – Command Line Interface (CLI)

• Establish a Console using COM/VGA, or remote using SSH/Telnet session with the device

• Use these communications port settings:

• Baud Rate: 115,200 bps
• Data bits: 8
• Parity: None
• Stop bits: 1
• Flow control: None

• At the CLI prompt, type the following (case sensitive):

• Default Username: Admin
• Default Password: Admin

20
Assigning IP Address – RS-232

Username: Admin
Username: Admin
Password: Admin Password: *****

Mediant 800> enable

Password: Admin Password: *****

Mediant 800# configure network

Mediant 800(config-network)# interface network-if 0

Mediant 800(network-if-0)# ip-address 10.15.17.55

Note: Changes to this parameter will take effect when applying the 'activate' or 'exit’ command

Mediant 800(network-if-0)# prefix-length 16

Note: Changes to this parameter will take effect when applying the 'activate' or 'exit' command

After ‘exit’ the address Mediant 800(network-if-0)# gateway 10.15.0.1

Note: Changes to this parameter will take effect when applying the 'activate' or 'exit' command
changed. For remote
connection, logon Mediant 800(network-if-0)# exit
again using the new IP
Mediant 800(config-network)# exit
address
Mediant 800# write
Writing configuration...done

Mediant 800#

21
Assigning IP Address – DHCP
• Dynamic Host Control Protocol: Provides a mechanism for allocating IP addresses dynamically so that
addresses can be reused
• After the Device is powered up if DHCP is enabled (DHCPEnable = 1), the Device attempts to obtain its IP
address and other network parameters from the DHCP server

22
Assigning IP Address – BootP

• Bootstrap Protocol allows a host to configure itself dynamically

• Provides two main services:
• Assigns IP address and networking parameters
• Provides the name of the software (cmp) file and configuration (ini) file to be loaded by
the device (via TFTP)
• Provides the IP address of the TFTP server
• MediaPack
• Hardware reset triggers a BootP request
• Mediant
• BootP request on startup is not supported on Mediant SBCs
• To force a BootP request, press the Reset button for 30 seconds (Rescue Mode)

23
Configuration File (ini file)

Serial Number = Decimal representation of the last

6 digits of the MAC address (i.e., 00:90:8F:49:5A:31)

7.40.250 – Major software version

A – Indicates that this is a SIP version (e.g., not Megaco)
262 – Minor software version

24
Configuration File (ini file)

Stand-alone Parameters

Table Parameters

25
ini File Parameters
• The ini file can be loaded via BootP/TFTP, Web interface, or using the automatic update mechanism
• Case insensitive
• Subsection names are optional
• Lines beginning with semi-colon (;) as first character are ignored
• Carriage Return must be each line’s final character
• Number of spaces before and after equal ( = ) is irrelevant
• Values of string parameters must be placed between two single quotes ( ‘ ’ )
• Syntax errors in value can cause unexpected errors (may be set to wrong values)
• Syntax error in the parameter name is ignored (error message is generated)
• When a parameter is missing from the ini file, its default is assigned

[Optional Sub Section Name]

Parameter_Name1 = Parameter_Value
Parameter_Name2 = Parameter_Value
Parameter_Name3 = ‘String’

; REMARK
26
ini File Table Parameters

• Tables are used in ini files to represent parameters that have several instances
(e.g., Coders, Proxy servers, Routing tables, etc.)
• Examples:

27
AudioCodes INI Viewer & Editor
• A simple viewer and editor for configuration (INI) files used by AudioCodes Media
Gateway and Session Border Controller (SBC) products
• Two Modes:
• View Mode:
• Standalone and Table parameters can be viewed
in a very friendly way
• Edit Mode:
• Standalone and Table parameters can be edited
(modified, added, removed, etc.) for a very easy
way of changing their contents
• Once this is done, the new INI file can be saved
and uploaded to the device in order to apply the
new configuration

28
Accessing the Web Interface

Default Username: Admin

Default Password: Admin
29
GUI Areas

Company Logo Menu Bar Containing the Menus:

• Setup
• Monitor
• Troubleshoot

30
GUI Areas

Work pane: Where configuration pages are displayed

Tab bar containing tabs pertaining to the selected menu:

• Setup menu:
• IP Network
• Signaling & Media
• Administration
• Monitor menu:
• Monitor
• Troubleshoot menu:
• Troubleshoot

Navigation Tree

31
Tool Bar

Button Description
Save Saves parameter settings to flash memory
Reset Resets the device
Opens a drop-down menu list with frequently needed commands:
Configuration Files to load or save an ini file
Auxiliary File to load auxiliary files such as: Dial Plans, Call Progress Tones, others
Actions
License Key to determine features, capabilities and available resources
Software Upgrade to upgrade the device's software
Configuration wizard

Displays the number of active alarms generated by the device

Opens a drop-down menu and:

Logon Name Shows the logged in user’s access level and session time
(like Admin) Allow password change
Allows to Logout
32
Modifying/Saving Parameters

• When changing parameter values, the changed

parameter has a yellow background

• To save configuration changes to volatile memory

(RAM), click the Apply button
• A dot appears next to parameters changed from
their default values

• Modifications to parameters with on-the-fly

capabilities are immediately applied to the device
and immediately take effect
• Parameters displayed with a lightning symbol are
not changeable on-the-fly and require a device
reset

33
Modifying/Saving Parameters

• If you click the Apply button after modifying parameters a red rectangle appears
surrounding the Save button
• This is a reminder to save your settings to flash memory

• If you click the Apply button after modifying parameters that take effect only after
a device reset, a red rectangle appears surrounding the both, the Save and Reset
buttons
• This is a reminder to later save your settings to flash memory and reset the device

34
Stand-alone Parameters Indications Meaning

Parameters changed and not applied are highlighted

A dot appears next to parameters changed from their

default values and when the Apply button was clicked

Changes on parameters displaying a lightning-bolt icon,

require to be saved to flash memory followed by a device
reset for your changes to take effect

Typically required parameters are displayed in bold font

An invalid value for a parameter reverts to its previous

value and is surrounded by a colored border

To get help on a parameter, hover your mouse over the

parameter's field
A pop-up help appears, displaying a brief description of
the parameter

35
Table Parameters – General Description

Page title (name of table) Navigation bar for scrolling Filter for searching
Also displays the number of through the table's pages parameters and values
configured rows as well as the Sort can be done
number of invalid rows by any column

Added table rows displaying

Adds a new row to the table only some of the table
Modifies the selected row parameters
Deletes the selected row

Detailed view of a selected row, displaying all parameters

Link to open the "child" table of the "parent" table.

Only appears if the table has a "child" table
36
Table Syntax
• The table is divided into three main areas: General, Matching characteristics and Action to take
• If the incoming call matches the characteristics of a rule, then the call is sent to the destination
configured for that rule
• Non-configured parameter fields
may appear with different values,
for example: “-1”, “0” or empty

37
Numbers Notation for Routing and Manipulation

• Flexible numbers notations for describing the prefix and/or suffix Username Pattern
5
source and/or destination phone numbers and SIP URI usernames: 5*
5#
▪ Prefix [n-m] or Suffix (n-m) (5)
▪ Represents a range of numbers 2[1-4,7,9]
[100-150,222,244,300-499]
6[100-300]
▪ Prefix [n,m,...] or Suffix (n,m,...) 6[100-300]#
▪ Represents multiple numbers 976(99)
▪ Multiple ranges such as [n-m,s-t] are also supported (88[1-4])
▪ Up to three digits can be used to denote each number [5000000-5000099]
7x*
▪ x (letter ‘x’) 1xxx
▪ Represents any single digit [1-5][12,34][500-599]
1xxx#
976[4,5,7-9]xxx#
▪ * (asterisk symbol) 2[2,6,7,9]
▪ Represents any number 2[1-4]
(555)
▪ # (Pound symbol) *
▪ Represents the end of a number
38
Numbers Notation – Examples
• [2,3,4,5,8]xxx
• Represents four-digit numbers or more that start with 2, 3, 4, 5 or 8
• Can write: [2-5,8]xxx
• [5200-5299]#
• Represents four-digit numbers that start with 5200 to 5299
• 12345
• Represents any number that starts with 12345
• 12345xx#
• Represents seven-digit numbers that start with 12345 (from 1234500 to 1234599)
• 4[000-599]#
• Represents four-digit numbers that start with 4 [4000 to 4599]
• (100)
• Represents any number that finishes with 100
• (266[1-9])
• Represents any number that finishes with 2661 to 2669
• 1[2,7][33,66]
• Represents any number that start with 1233, 1266, 1733 or 1766 39
Fields to Match

• Device attempts to match patterns at the top of the table first (first match)
• More specific rules should be at the top and more generic ones at the bottom

Take the rule up

‘551’ will never match because ’55’

matches every prefix that starts with ’55’
40
Assigning Rows from other Tables

• Tables may contain parameters assigned a value which is a row referenced from
another table

A View button opens the

row-referenced table

41
Table Parameters Invalid Values Indications
• When adding a row:
• If a mandatory parameter’s value, which is a row referenced from another table is not assigned,
after clicking Apply, an error message is displayed at the bottom of the dialog box
• Clicking Cancel closes the dialog box and the row is not added to the table
• To add the row, you must configure the parameter

42
Table Parameters Invalid Values Indications
• When editing a row:
• If a parameter’s configuration is changed so that it's no longer assigned with a referenced
row from another table, when the dialog box is closed, the Invalid Line icon appears for
the table in which the parameter is configured, in the shown locations:

Page title of the table. The total number of invalid rows in the
table is also displayed with the icon

'Index' column of the row to which the parameter belongs

Item in the Navigation tree that opens the table

43
Table Parameters Invalid Values Indications

• When a parameter assigned a value which is an invalid row referenced from

another
• The Invalid Reference Line Icon is displayed for the table in which the parameter is
configured, in the shown locations

Page title of the table. The total number of invalid rows in the table
is also displayed with the icon

'Index' column of the row to which the parameter belongs

Item in the Navigation tree that opens the table 44

Searching for Configuration Parameters

• Parameter names (standalone or table) and values can be searched in the Web interface
• The search key can include the full parameter name (Web or ini file name) or a substring of it
• For a substring, all parameters containing the substring in their names are listed in the search result
• The search key for a parameter value can include alphanumeric and certain characters
• The key can be a complete value or a partial value

• When the device completes the search, it displays a list of found results based on the search
key
• Each possible result, when clicked, opens the page on which the parameter or value is located

45
Searching for Configuration Parameters

Search can be by name or by value

46
Setup Menu: IP Network Option
• Home Page: NETWORK VIEW

IP Interfaces can be added, VLANs can be

edited, viewed or deleted added, edited,
viewed or deleted

Ethernet Groups
can be, edited
or viewed

Physical Ports
can be, edited
or viewed

47
Setup Menu: Signaling & Media Option
• Home Page: TOPOLOGY VIEW

Trunk Groups
can be added IP top view (i.e.
Tel view
related to the WAN)
(i.e. related to the PSTN)

SIP Interfaces can be added SIP Interfaces can be added Media Realms can
and shown at the top or and shown at the top or be added and shown
bottom (GW application) bottom (SBC application) at the top or bottom

IP bottom view (i.e.

related to the LAN)

IP Groups can be added

48
Setup Menu: Signaling & Media Option
• Home Page: TOPOLOGY VIEW

Click to edit,
show, or delete
parameters or
tables

Hover to see the

basic configuration

49
Setup Menu: Signaling & Media Option
• Home Page: TOPOLOGY VIEW

Direct links to the SBC’s

Direct links to the main parameters and
Gateway’s main tables
parameters and tables

The links between SIP Interfaces, Media

Realms and IP Groups are shown

Indications of valid or invalid configuration on tables or parameters

50
Setup Menu: Administration Option
• Home Page: TIME & DATE

Displays and allows to configure Displays and allows to configure

the local time and date the UTC, offset and DST

Displays and allows to configure

the NTP server information

51
Web Local Users Table

User levels:
• Monitor
• Administrator
• Security Administrator
• Master 52
Maintenance Actions
• Reset Device: After a Web reset, the device starts from Flash
• Lock: The device doesn't accept any new incoming calls
• Save to Flash: Save the running configuration to the memory
• Graceful Option: Shutdown will perform only after X configured sec. or no more active traffic exists

• Yes: The device locks only after a user-defined duration, configured in the 'Lock
Timeout' field. During this interval, no new traffic is accepted, allowing only
existing calls to continue until the timeout expires. If at any time during this
timeout there are no active calls, the device locks. If there are still active calls
when the timeout expires, the device terminates them and locks
• No: The device locks immediately, terminating all existing traffic
• Enable to terminate (close) existing TLS/TCP client
connections and reject new incoming TLS/TCP client
connections during the locked state.
• Disable (default), existing client connections will
remain, and incoming TLS/TCP client connections
will be accepted during the locked state
53
Maintenance: Configuration File

Load/Save ini Configuration File

To restore the defaults, use ‘Restore Factory Defaults’

with/without checked ‘Preserve basic connectivity’
Addition way, use an empty ini file

Configuration, Auxiliary and Certificate files can be

loaded to and saved from the device as a single,
packaged file
The feature is typically used for backup and loading
the backup to other devices

54
Configuration Package Files
• ini.ini (ini configuration file)
• LOGO.dat (image file used as the logo in the Web interface)
• FAVICON.dat (favicon file used for Web browsers)
• CPT.dat (Call Progress Tone file)
• PRT.dat (Pre-recorded Tone file)
• AMD.dat (Answer Machine Detection file)
• SBC_Wizard.dat (SBC Configuration Wizard template file)
• CAS file – present only if a CAS file was previously loaded to the device
• Certificate files (<ctx_id>.crt, <ctx_id>.root, <ctx_id>.pkey)

55
Maintenance: Auxiliary Files
• Various auxiliary files can be
loaded to the device

56
Maintenance: Upgrading & Downgrading Software

• The device can be updated with software (cmp file), configuration (ini file),
auxiliary files and license key using:
• Web interface
• Automatic Update Mechanism
• BootP/TFTP utility

57
Maintenance: License Key

• Supplied with SBC and digital gateways (not relevant for MP-1xx)
• Determines features, capabilities and available resources
• Provided in string format or in a txt file to be loaded to the device
• Stored in the device's non-volatile flash memory
• After loading the new key, the device must be reset
• Two options for manage the license:
• Local on the SBC
• By AudioCodes OVOC

58
License Types for SBCs
• Local License
• By loading a license key to the device, without requiring the OVOC

• Fixed License
• Allows a 'tenant' operator to update licenses from a central pool in a simple process
• The operator can allocate and de-allocate the licenses for the devices in the pool according to their capacity
requirements
• Requires SBCs loaded with version 7.0 or later

• Floating License – Cloud Mode

• This mode manages the license per tenant in the Cloud using the AudioCodes Floating License Service
• Requires SBCs loaded with version 7.2.202 or later and OVOC version 7.4.3000 or later

• Floating License – Flex Pool Mode

• It supports a Floating License across a network without the need to connect to a public cloud and enables service to
continue uninterrupted for a grace period once the license has expired
• Requires SBCs loaded with version 7.2.256.300 or later and OVOC version 7.8 or later

59
Local License Key

60
Device License Key in Fixed Pool Mode

61
Device License Key in Cloud Mode

62
Device License Key in Flex Pool Mode

63
Monitor Menu
• Home Page: MONITOR

Shows the IP Address, Firmware, Type of Devices and Serial Number

Displays status and

information on the hardware

Displays SBC’s statistics and information on

calls, transactions and registration

64
Device Information

65
Troubleshoot Menu

• Home Page: MESSAGE LOG

66
Auto-Completion Editor
• Auto-completion for parameters whose values are configured using a special syntax
• An Editor button is displayed alongside their fields, which when clicked, opens a syntax editor
• As text is typed in the field, the user is prompted with optional syntax

67
AdminPage

• Used to configure parameters that don’t appear in the Web interface

68
Lesson 3

AudioCodes Documentation
Lesson Objectives

• After completing this lesson, you will:

• Understand how to obtain technical documentation from AudioCodes’ Web site
• Be familiar with the different documents that AudioCodes publishes regularly for its' products
• Understand how to use the documents for configuration and maintenances purposes

70
Obtaining AudioCodes Documentation

• You can access all AudioCodes' documentation from AudioCodes Web site:
• Technical documentation (user manuals, hardware installation manuals, configuration
and release notes)
• Homologation material (regulatory information)
• Partner/channel material (interoperability guides etc.)
• Marketing material (white papers, application notes, product notices, etc.)

71
Obtaining Document

https://www.audiocodes.com/library/technical-documents 72
Obtaining Document (Cont.)
• Use the following filters to search
for you document:

73
Hardware Installation Manual – Specific Documentation

• Hardware description and step-by-step

procedures for installing and cabling the device
• Divided into chapters, such as:
• Overview of the product
• Unpacking the device
• Physical description
• Mounting the device
• Cabling the device
• Hardware maintenance

74
User’s Manual – Specific Documentation

• Main document for configuration and maintenance

• Divided into parts, such as:
• Overview of the product
• Getting started
• Management tools
• General System Settings
• General Configuration
• Specific applications’ description and configuration
• Maintenance
• Status, Performance Monitoring and Reporting
• Diagnostics
• Appendixes
• Identified by software release version

75
Release Notes

• Release Notes
• One per software release
• Includes:
• New features
• Updates
• Bugs fixing
• Workarounds on existing constraints
• Others

76
Complementary Guides

• Complementary Guides
• Includes
• Reference Guides
• Design Guides
• Security Guidelines
• Utilities Guides
• Others
• Identified by software release version

77
Configuration Notes

• Configuration Notes
• Document providing a detailed description on how
to configure a specific feature/function/application
for a product
• Normally referenced by the User’s Manual

78
Check your Learning

What is the default of “Number of Media Channels” parameter?

Check in the User Manual

79
Lesson 4

Gateways and SBC Product Line

Lesson Objectives

• After completing this lesson you’ll be able to:

• Identify AudioCodes analog and digital gateways

• Identify AudioCodes products that support SBC

81
Analog Gateways Overview

• Analog FXS and FXO VoIP gateways

• Available configurations:
• MP-112 featuring 2 FXS ports
• MP-114 featuring 4 FXS / FXO / Mixed FXS + FXO ports
• MP-118 featuring 8 FXS / FXO / Mixed FXS + FXO ports
• MP-124 featuring 24 FXS ports
• MP-1288 featuring up to 288 FXS ports (SBC capability)

• Firmware file:
• MP-11x gateways (FXS and FXO) use the same firmware (.cmp) file *
• MP-124 gateway requires it own firmware file *
• MP-1288 gateway requires it own firmware file

Note: The latest maintenance firmware version for MP-11x and MP-124 is 6.6

82
Analog Gateways Portfolio

MP-112 MP-114 MP-118 MP-124 MP-1288

Number of
analog ports
2 4 8 24 288

FXS / FXO FXS FXS / FXO FXS / FXO FXS FXS

Power Supply AC AC AC AC / DC AC / DC

83
Digital Gateways Overview

• Digital PRI and BRI VoIP gateways

• Up to 16000 simultaneous calls Mediant 500L Mediant 500 Mediant 1000B
• SBC capability (some of them)
• Analog capability (some of them)
Mediant 800B Mediant 800C Mediant 3100

Mediant 5000
Mediant 8000

Note:
• The latest maintenance firmware version for Mediant 5000 and 8000 is 6.6

84
SBC Portfolio

Hybrid SBC/Gateway
Mediant 500/L Mediant 800B/C Mediant 1000B Mediant 3100

Pure SBC
Mediant 2600 Mediant 4000/B Mediant 90xx Mediant SE Software Edition

Virtual & Cloud SBC

Mediant VE (Virtual Edition) Mediant CE (Cloud Edition)

85
Hybrid SBC Portfolio

Mediant 500L/Li E-SBC Mediant 500 E-SBC Mediant 800B/C E-SBC Mediant 1000B E-SBC Mediant 3100 SBC

Small Enterprise, SMB, SMB, SME, Enterprise,

End customer SMB
Branch Branch Branch Service Providers
SIP Trunk, SIP Trunk,
Demarcation Device, SIP Trunking, SIP Trunking,
Application Survivability, Survivability,
SIP Trunking TDM Trunking TDM Trunking
TDM Trunking TDM Trunking

Sessions 60 250 400 150 5000

SRTP-RTP 60 200 300 120 5000

Transcoding N/A N/A 114 96 3072

Registers 200 1500 2000 600 20000

4*Analog, 4*Analog, 12*Analog, 8*BRI, 24*Analog, 20*BRI,

Media Gateway 8*64 E1/T1
4*BRI 1*E1/T1 4*E1/T1 6*E1 or 8*T1

MSBR √ √ √ X X

OSN X X √ √ X
86
Pure SBC Portfolio

Mediant 2600 SBC Mediant 4000/B SBC Mediant 9030/9080 SBC Mediant SE
Large Enterprise, Large Enterprise,
Enterprise, Service Providers,
End customer Service Providers, Service Providers,
Contact Center OEM
Contact Centers Contact Centers
SIP trunking, SIP trunking, SIP Trunking,
Application SIP Trunking
Service Provider Access SBC Service Provider Access SBC SP Access SBC
Sessions 600 5000 30000/70000 70000
SRTP-RTP 600 3000/5000 30000/40000 40000
600 2400/5000 9080 only - 30000 25000
Transcoding
(with MPM4) (with MPM) (with Media Component) (with Media Component)
Registers Up to 8000 Up to 20000 Up to 200000/500000 Up to 500000
OSN √ √ X X

87
Virtual & Cloud SBC Portfolio

Mediant VE Mediant CE (Cloud Edition)

Enterprise
Enterprise
End customer ISVs & OEMs
Service Providers
Service Providers
SIP Trunking SIP Trunking
Application
Service Provider Access SBC Service Provider Access SBC
Sessions 24000 70000
SRTP to RTP 10000 40000
Up to 12,000 30000
Transcoding
(with Media Component) (with Media Component)
Registers 75000 500000

88
Open Solutions Network (OSN) Server Hosted Mediant

Parameter OSN3C OSN4B OSN6 OSN7

Intel® Pentium® Processor Intel® Xeon® Processor Intel® Core™ i7-5850EQ Intel® Pentium® Processor
CPU D1508 D-1527 Processor D Series
2 Cores, 3M Cache, 2.20 GHz 4 Cores , 6M Cache, 2.20 GHz 4 Cores, 6M Cache, 2.7 GHz 2 Cores, 3M Cache, 2.60 GHz
Memory 8 GB 16 GB 32 GB 16 GB
Hard Up to 2 hard drives (HDMX modules) 500 GB HDD or 120GB
128 GB SSD (or higher, for special request)
Drives SSD (2 HDD can work in Raid1)

• 2 Gigabit Ethernet external (rear panel)

• 2 Gigabit Ethernet external (rear panel)
• 1 Gigabit Ethernet internal bus, connected to the Mediant
• 1 Gigabit Ethernet internal bus, connected to the Mediant
Interfaces • USB 2.0
• 3 USB 2.0
• RS-232
• VGA
• Graphics

• Mediant 1000B
Mediant • Mediant 800B
• Mediant 2600B (just for SBA)
Types • Mediant 800C
• Mediant 4000B
89
Multi-Service Business Routers – MSBR

• Wide range of WAN interfaces

• 10/100/1000 Base-T Copper Ethernet interface
• 2 Dual-Mode (100Base-X and 1000Base-X) SFPs
• ADSL2+, SHDSL, VDSL2 vectoring
• 3G/4G/5G
• Gigabit Ethernet LAN with option for PoE
• Routing, switching and QoS
• Stateful firewall and VPN
• Integrated session border controller (SBC)
• Analog and digital telephony interfaces

• Products:
• Mediant 500/L/Li
• Mediant 800B/C

90
Media Processing Module (MPM)

• Optional, customer-ordered AMC-based module

• Provides additional Digital Signaling Resources (DSP) required for transcoding call sessions
• Different MPM module types are available:
• MPM4 module, providing 4 DSPs (up to 600 sessions)
• MPM8 module, providing 8 DSPs (up to 2400 sessions)
• MPM8B module, providing 8 DSPs (up to 2400 sessions)
• MPM12B module, providing 12 DSPs (up to 3250 sessions)

• Up to three MPM modules can be installed

• MPM4 and MPM8 module types can be installed in the same Mediant 2600/4000 chassis
• MPM8B and MPM12B module types can be installed in the same Mediant 4000B chassis

91
Media Transcoder (MT) and Media Transcoding Cluster (MC)

• External DSP resources for media-related features requiring DSPs

• 2 types of deployment:
• Hardware based on the Mediant 4000B chassis and MPM8B or/and MPM12B modules
• Virtual based on Mediant VE platform and virtual DSPs
• Supported only by Mediant 9080 and SW-SBC VE
• Each MT device support up to 5000 media session

• As transcoding needs increase, multiple MT devices can be configured as farm of

Media Transcoding Cluster (MC)
• Up to 8 MTs for hardware-based appliance
• Up to 5 MTs for virtual based appliance
• Provides load-sharing and cluster redundancy
• MT cannot be shared by multiple SBC devices

92
Media Transcoding Cluster (MC)

• The Media Transcoding Clusters are "hidden" from the endpoints being serviced by the SBC
• Requires a suitable License Key

93
SBCs journey to the cloud

• SBC traffic demands are dynamic 30000

Fixed
1.2

• Sizing an SBC for worst-case scenario allocation

is cost prohibitive 25000 1

• SBC elasticity is key for resource
optimization – you can start small 20000 0.8
Active Calls
and grow as needed

Active calls
Dynamic
15000 allocation 0.6

10000 0.4

5000 0.2

0 0
calls Resources

94
Mediant Cloud Edition SBC (Mediant CE)
• Separated signaling and media processing (built out of dedicated functional blocks)
• Elastic Media Cluster (traffic-based scalability)
• Full SBC functionality
• Single management point
• Multi Cloud (Amazon AWS and Microsoft Azure)
• Built-in HA

Signaling and management

CLI
SC SC REST
Stack API

Manager
MC MC MC MC MC … Automation
- New SBC Stack Manager
- REST API for all actions
media media media - CLI for scripting languages
Virtual infrastructure - NFV and DevOps API
(compute, storage, networking)
95
Hands-on Lab 1

Management Interface Usage

Lesson 5

SBC Application Description

Lesson Objectives

• After completing this lesson you’ll know:

• Where and how to have the SBC located

• SBC functions

98
SBC Definition

• A device/application which:
• Manages a VoIP session by performing:
• Session setup
• Call conducting
• Session tear down
• Enforces Security, QoS and Call Admission Control (CAC)
• Often installed at a demarcation point between one network segment (Un-Trusted)
and another (Trusted)

99
What are Session Border Controllers For?

• Connectivity (Connect between any SIP servers)

• Security (DDoS, Call theft, Eavesdropping)
• Quality Assurance (Monitor call quality, Report on quality
issues, Quality enhancements, Call recording)
• Regulatory Compliance (Emergency calls, lawful interception)
• Media Services (RTP/SRTP, Coder Transcoding)
• Statistics and Billing information

100
SBC Implementations

• Logical Applications/Topologies options:

• Local IP-PBX with SIP Trunk by ITSP
• Hosted IP-PBX
• Two Local IP-PBXs (SIP Normalization)

• Logical Deployment options:

• SBC connected with one leg to LAN
• SBC connected with one leg to DMZ
• SBC connected with one leg to DMZ and another leg to LAN

• Physical SBC Connections:

• Number of ports used for each logical connection, with/without 1+1 port redundancy

101
Applications / Topologies

• Local IP-PBX with SIP Trunk by ITSP

Enterprise
Network
IP-Phones users
FEU

LAN SBC SIP Trunk WAN

IP-PBX ITSP

102
Applications / Topologies

• Hosted IP-PBX

Enterprise
Network
IP-Phone users

SBC
LAN WAN

Hosted
IP-PBX

103
Applications / Topologies

• Two Local IP-PBXs (SIP Normalization)

IP-Phones Enterprise
Network

LAN 1

SBC

IP-Phones

LAN 2

IP-PBX

104
Logical SBC Connections – One Leg LAN

IP-Phone

Firewall

LAN WAN

IP-PBX

DMZ
ITSP

105
Logical SBC Connections – One Leg DMZ

IP-Phone

Firewall

LAN WAN

IP-PBX

DMZ
ITSP

106
Logical SBC Connections – One-Leg DMZ and One-Leg LAN

IP-Phone

Firewall

LAN WAN

IP-PBX

DMZ
ITSP

107
Physical SBC Connections

• One-Leg (DMZ or LAN) LAN

• Only 1 port required (1 cable)

• Optional: 2 ports, 1+1 redundancy (2 cables) DMZ

• VLAN-Aware Switch
LAN
• Only 1 port required (1 cable)
• Optional: 2 ports, 1+1 redundancy (2 cables)
DMZ

• Two-Legs (LAN and DMZ)

• 2 ports used (2 cables) LAN

• 4 ports used, 1+1 redundancy (4 cables)

DMZ

108
SBC VoIP Features

• NAT Traversal
• Transcoding
• Topology Hiding
• VoIP Firewall
• SIP Routing
• SIP Normalization
• Survivability

109
NAT Traversal

• Enables communication with ITSP/SIP Trunk using globally unique IP addresses

IP-PBX
FW Public IP address
182.30.15.20

Enterprise WAN
LAN

SBC IP address ITSP

10.15.11.1 Soft Switch

110
NAT Traversal (cont’d.)

• SBC supported Far End Users (FEU)

• Maintaining remote NAT binding state by frequent FEU registration time
• First incoming RTP Packet for NAT Traversal using symmetric RTP
• Protocols that can traverse SBC:
• Audio
• Video
• Application
• Text
Home LAN

Public
IP PBX
Internet
Enterprise LAN
FEU

FEU registers in device DB

Offloading FEU refresh Registrations
Maintaining remote NAT binding
111
SBC Transcoding

• Coder Transcoding
• RTP <-> SRTP
• Fax/Modem translations
• RFC 2833 <-> Transparent DTMF <-> SIP INFO
• Transrating
• Voice gain adjustments

SRTP RTP
G.711 G.729
IP/PBX ptime:20 T.38 ITSP
SfB RFC 2833 ptime:30 Soft Switch
SIP INFO
112
Topology Hiding

• Hides the Internal Network

• SBC implements back-to-back user agent (B2BUA):
• VIA stripping
• Independent Route/Record Route per leg
• Use SBC Contact info
• Change Call-ID per leg
• Restrict Caller-ID
• Host Name modification

113
Security – VoIP Firewall

• SIP Signaling
SIP Invite
• SIP classification
• Deep Stateful Packet Inspection (SPI) of all SIP signaling packets
• Packets not belonging to a valid SIP dialog are discarded

• RTP Layer 3-4

Firewall

Discard Message
• Opening pin holes according to Offer/Answer negotiation
• DPI of all RTP packets Authenticate

Layer 5-7
SBC
Firewall

Message admitted

114
Comprehensive Security

IDS Security
Abnormal behavior detection Server

Layer 3-4 Access List

Wire Speed
Rate limiting

Enterprise
Core
CAC
Classification #calls,
Message /Routing call rate,
TLS and Policy SIP layer bit rate,…
Internet/Peers SRTP Malformed access list
SIP SIP
Context
Identification
115
SBC Routing

• Calls routing is based on several factors

• Run query to external or internal database
• Multiple destinations

116
SIP Normalization

• Solves interoperability issues between SIP user agents

• Manipulation of SIP URI user and host
• SIP Header Manipulations
• P-Asserted-ID conversions
• Session timer conversions
• Early media conversions
• Register to ITSP on behalf of the IP-PBX
• Flexible REFER and Forward handling
• And more

117
SBC Survivability

• Three survivability features:

1. Routing calls to alternative routes such as:
• ITSP
• IP-PBX
2. Routing calls between user agents in the local network using a dynamic DB
(built according to registrations of SIP user agents)
3. Fallback to the PSTN based on E1/T1 connection (Hybrid devices)

118
Lesson 6

SBC Basic Terminology

Objectives

• After completing this lesson, you will:

• Be familiar with the SBC terminology

• Know what is an SRD, SIP Interface and Media Realm
• How this is associated to IP Groups and Proxy Sets

120
Main SBC Operation Modes

• B2BUA
• Maintains independent sessions toward the endpoints
• Processing an incoming request as a User Agent Server (UAS) on the inbound leg
• Processing the outgoing request as a User Agent Client (UAC) on the outbound leg
• SIP messages are modified regarding headers between the legs
• The device's interworking features may be applied

UAC UAS UAC UAS

Request Request

• Stateful Proxy Server

• SIP messages traverse the device transparently (with minimal interference) between
the inbound and outbound legs
• No topology hiding
UAC UAS
Request

121
Signaling Routing Domain (SRD)

• Logical representation of the entire SIP-based VoIP network containing groups of

SIP users and servers
• Typically, only a single SRD is required, and this is the recommended configuration
topology
• Multiple SRDs are required only for multi-tenant deployments, where it "splits" the
device into multiple logical devices

122
Media Realms

• Range of UDP ports associated with an IP network interface

• Used by SBC to perform media (Audio, Video, Fax) anchoring functionality
• Defines maximum number of sessions (based on the ports range)
• Can be assigned to the SIP Interface and/or the IP Group

123
SIP Interface

• The SIP Interface represents a Layer-3 network (Bounded)

• SIP Interface is associated with one and only one SRD
• It defines a local SBC listening port for SIP signaling traffic on a local, logical IP
Network Interface
• Defines the application, SBC or GW (relevant just for Hybrid devices)
• The SIP Interface is used to receive and send SIP messages with a specific SIP entity
(IP Group)
• Multiple SIP Interfaces may represent multiple SIP entities in the VoIP network:
• SIP Trunk
• LAN IP-PBX
• Remote WAN users

124
IP Group

• An entity with a set of definitions and behaviors which represents a SIP Group in the IP
Network
• 3 Types of IP Group:
• Server: Used when the destination address is known
• User: Represents a group of users where their location is dynamically obtained by the device when
REGISTER
• Gateway: Applicable where the SBC receives requests to and from a gateway representing multiple users
• Used to classify incoming SIP dialog-initiating requests to a source IP Group, based on Proxy
Set ID
• Used in IP-to-IP routing rules to denote the source and destination of the call
• It is highly recommended not do modify IP Group ID 0
• You should configure this specific IP Group when it is used for the Gateway Interface (e.g., PSTN fallback)

125
Proxy Set

• Represents the destination (address) of the Server-type IP Group

• A Proxy Set is a group of Proxy servers defined by IP address or Fully Qualified
Domain Name (FQDN)
• Keep alive mechanism can be implemented
• Each Proxy server address can define:
• Destination SIP port
• Transport type
• Load balancing
• Redundancy mechanisms
• Can be used for message classification

126
IP-to-IP Routing

• IP-to-IP routing rules define the routes for routing calls between SIP entities
• The routing rules typically employ IP Groups to denote the source and destination
of the call
• Various other source and destination methods can be used
• For example, the source can be a source host name while the destination can be an IP
address or based on an LDAP query

127
SBC Routing
• IP-to-IP call destination can be:
• Proxy Set associated with the destination IP Group
• Based on Hunt Group
• Registration Database and User IP Group
• Destination address based on: IP-Address, Host Name (FQDN),
Port, Transport Type, SIP Interface
• Based on incoming Request-URI
• Gateway
• Internal
• Alternative routing
• Re-routing of SIP requests
• Call Forking
• IP Group Set
• Destination Tag
• Least Cost Routing (LCR)
• Based on Dial Plan File
• External ENUM server query
• External LDAP server query
• Third-party Routing Server
128
Inbound and Outbound Number Manipulation

• IP-to-IP Inbound and Outbound manipulation lets you manipulate the user part of
the SIP URI in the SIP message for a specific entity
• Inbound manipulation is done on messages received from the SIP entity
• Outbound manipulation is done on messages sent to the SIP entity

User@Host
[email protected]

129
Message Manipulation Set (MMS)

• A combination of rules, specified as a

set or group of actions, to be
attached to IP Group
• IP Group page display 2 fields:
• Inbound Message Manipulation Set
• Set of rules applied on incoming
messages (received from the SIP
entity)
• Outbound Message Manipulation Set
• Set of rules applied on outgoing
messages (sent to the SIP entity)

Incoming Message SBC Outgoing Message

130
Classification Process

• A process that provide:

1. SIP Firewall
2. Source IP Group
1
• There are four steps in the classification process:
1. Device‘s registration database (AOR)
2. Proxy Set 2
3. Classification Table
4. Reject or Allow unclassified source
3

• Each stage is done only if the

previous stage fails
• If the SBC doesn't find a matching rule 4
(i.e., classification fails), the dialog is rejected
131
CMR Process (CMR = Classify, Manipulate, Route)

Reject Dialog

No match No match No match

Leg1
Incoming Outgoing
SIP Interface Classification Routing
Message Message
Leg2
Pre-Parsing
Manipulation Inbound Outbound
(SIP Interface) Message Manipulation Set Message Manipulation Set
(IP Group) (IP Group)
Pre-Classification
Manipulation
(SIP Interface)
Inbound Outbound
Source and/or Destination Source and/or Destination
Number Manipulation Number Manipulation

(Optional)

132
SIP Trunk Example

IP-PBX
TLS 5061
SBC
DefaultSRD

Media Port Pool SBC Tables: Media Port Pool

(Ports 7000-7500) Classification Process (Ports 6000-6500)
IP2IP Routing Tables
SBC Manipulation
SBC SIP Interface SBC SIP Interface
Enterprise TLS Port 5061 + UDP Port 5085 UDP Port 5060 WAN
LAN
Gateway SIP Interface (Optional) Gateway Tables: Gateway SIP Interface (Optional)
UDP Port 5050 IP-to-Tel Table TCP Port 5070
Tel-to-IP Table
GW Routing Tables
GW Manipulation Tables

Fax Server ITSP

FXS E1
UDP 5085 UDP 5060

Analog Lines
PSTN
PSTN

133
Lesson 7

SBC Configuration
Lesson Objectives

• After completing this lesson you’ll know how to:

• Configure the parameters required by the SBC

135
Topology Configuration Example – One Leg LAN

Configuration Stage:
SBC IP: 10.15.11.1 /16 ITSP 1. IP Interface
IP-PBX
Server 1: 200.100.10.5 2. SRD
IP: 10.15.11.2 /16
Server 2: 200.100.10.1 3. Media Realms
Transport Type: TCP 4. SIP Interface
Transport Type: UDP
Listening Port: 5050 5. Proxy Set
Listening Port: 5060
Media Realm: 7000 (50 legs) 6. IP-Group
Media Realm: 8000 (50 legs) 7. IP Profile
Coder: G.711Alaw
Coder: G.711Alaw 8. Routing
9. NAT Translation
10. Classification

Firewall
LAN IP: 10.15.0.1
WAN: 200.100.10.2

136
Configure IP Addresses – IP Interface Table

137
IP Address – Physical to Interface

138
Initial Topology View

Default values for SRDs, IP Groups, Proxy Set, SIP Interfaces, Media Realms
139
SRD Table
• Default SRD is already pre-configured

SBC default operational mode

140
Media Realm Table

• The default Media Realm is used for SIP Interfaces and IP Groups for which you have not
assigned a Media Realm
• Ports are allocated in chunks of 2, 4, 5 or 10 (device dependent) called media session legs

141
Media Realm Extensions

• Media Realm Extensions let you configure a Media Realm with different port ranges or/and
different interfaces
• This means that the Media Realm is distributed across multiple interfaces
• The number of Media Realm Extensions that can be configured depend on the platform

142
Configuring Media Realms – Example

143
SIP Interface Table

• Default SIP Interface is already pre-configured and assigned to the default SRD
• Bounded to Layer-3 network
• Defines a local listening port for SIP signaling traffic on a local logical IP network

144
SIP Interface Table Record
• By default, if you do not configure a name, the device
automatically assigns the name • Assigns a Media Realm

• Select Network Interface

• Select SBC or GW application

• Select UDP, TCP and/or

TLS port/s

• Defines the SIP response code that the device sends if a received SIP request (OPTIONS, REGISTER, or
INVITE) fails the SBC Classification process
• The valid value can be a SIP response code from 400 through 699, or it can be set to 0 to not send any
response at all (recommended for security reasons)
• The default response code is 500 (Server Internal Error)

145
Configure SIP Interface Table – Example

146
IP to Local Signaling and Media Resources
• Multiple SIP Interfaces represent multiple layer 3 networks
• Media Realm shared between multiple SIP Interfaces

SBC SIP Interface 1

Media Realm 1
LAN
IP Interface 1
Physical Network 1
SIP Interface 2

Media Realm 2

SIP Interface 3

SIP Interface 4
IP Interface 3
Media Realm 4
WAN/DMZ
Physical Network 2
SIP Interface 5

IP Interface 4 Media Realm 5

SIP Interface 6
147
Proxy Sets Table

148
Proxy Sets Table

• Define the Proxy Set Name

• Select Redundancy mechanisms

Parking or Homing

Defines an arbitrary
name to easily identify
the Proxy Set Set Hot Swap

Select SIP Interface

Enable Load Balancing

Enable Keep-Alive
Defines how the device classifies IP calls to the Proxy Set
This parameter is applicable only if the IP Group table's
parameter, 'Classify by Proxy Set' is set to Enable

149
Proxy Address Child Table

• Enter Proxy IP address or FQDN

• Enter Destination SIP port & Transport type

150
Define Proxy Set IP-PBX – Example

151
Define Proxy Set ITSP – Example

152
IP Group Table

153
IP Group Table – General Parameters
IP Group Name

Defines the display location of the IP

Group in the Topology view

3 types: Server, User, Gateway

Proxy Set Name associated with the Server

IP Group
IP Profile, assigned to the IP Group. The
default is ‘None’

Media Realm, assigned to the IP Group.

Choose the name defined in the Media
Realm Table from the drop-down list

The Request-URI host name used in INVITE

and REGISTER messages sent to this IP
Group, or the host name in the From
header of INVITE messages received from
this IP Group
154
IP Group Table – SBC General Parameters
Enables classification of incoming SIP dialogs (INVITEs) to
the IP Group, based on the Proxy Set assigned to the IP
Group (Applicable only to Server-type IP Groups)

Defines the device's operational mode for the IP Group.

Options:
• Not Configured = (Default)
• B2BUA
• Call Stateful Proxy
• Microsoft Server (for One-Voice Resiliency feature)

Defines call forking of INVITE messages to up to five

separate SIP outgoing legs for User-type IP Groups.
This occurs if multiple contacts are registered under the
same AOR in the device's registration database.
Options:
• Sequential = (Default)
• Parallel
• Sequential Available Only

• Defines a hostname, which the device uses to overwrite the hostname of the URI in certain SIP headers. When the device forwards a SIP message
to this IP Group, the configured hostname overwrites the host part in SIP headers that are concerned with the source of the message
• The parameter is applicable only when the IP Group is the destination of the call
• This parameter has higher priority than the 'SIP Group Name' parameter of the source IP Group
155
IP Group Table – SBC Other Tabs

Inbound/Outbound Message Manipulation Set:

Assigns a Message Manipulation Set (rule) to the IP Group

156
Define IP Group 1 (IP-PBX) – Example

157
Define IP Group 2 (ITSP) – Example

158
IP Profile

• A set of configuration parameters

• Provides high-level adaptation when connected to a variety of equipment, each
of which requires different system behavior
• Assigned to IP Groups

159
IP Profile
• The configurable parameters for the IP Profile are divided into sections:
• General parameters
• Media Security parameters Related to SRTP
• SBC Signaling parameters
• SBC Early Media parameters
• SBC Registration parameters
• SBC Forward and Transfer parameters Related to SIP Signaling on the SBC
• SBC Hold parameters
• SBC Media parameters
• SBC Fax parameters
• Media parameters Related to Media on the SBC
• Quality of Service parameters
• Jitter Buffer parameters
• Gateway General parameters
• Voice
• Gateway DTMF parameters
• Gateway Fax and Modem parameters
• Answer Machine Detection parameters
• Local Tones parameters
160
IP Profile

161
IP to IP Routing Table

162
IP to IP Routing Table – General and Match Sections
Route Row / Alternative Route / Forking Group

Defines the IP Group from where the IP call is received

Defines the SIP dialog request type:

• All (default)
• INVITE
• REGISTER
• SUBSCRIBE
• INVITE and REGISTER
• INVITE and SUBSCRIBE
• OPTIONS

From Message Condition Table

Defines the reason for re-routing the SIP

request : Any/3xx/Refer

Defines the IP Group that initiated (sent) the SIP

redirect response 3xx or REFER

163
IP to IP Routing Table – Action Section

Determines the destination type to which the outgoing SIP dialog is sent.
This can be IP Group, Destination Address, ENUM, LDAP, Request URI, Gateway, etc.

Defines a SIP response code (e.g., 200 OK) or a redirection response. The
parameter is applicable only when the 'Destination Type' parameter in this
table is configured to Internal – example: Reply(Response='200') 164
Configuring IP-to-IP Call Routing Rules – Example

165
Define NAT Translation – Example
• NAT rules for translating source IP addresses per VoIP interface:
• SIP Control
• Media Traffic
• The Global address is set in the SIP Via and Contact headers as well as in the o= and c= SDP fields

166
First Incoming Packet Mechanism for Remote Users

• The device identifies whether the UA is located behind NAT by comparing the
source IP address of the first received media packet with the IP address and UDP
port of the first received SIP Invite message (Contact header's IP address) when the
SIP session was started

167
Define Classification Rules (Optional)

168
Message Conditions (Optional)

169
Lesson 8

Basic Debugging Tools

Troubleshooting Guidelines

• Understanding the problem

• What are the expected results?

• What are the actual results?

• Collecting data

• Use the relevant data collection tools for problem investigation

171
Collecting Data

• When reporting a problem, provide AudioCodes Support with:

1. Accurate, clear and detailed problem description
2. Test setup (network diagram, call direction, etc.)
3. Uploaded ini file
4. Syslog trace (without missing messages)
5. Unfiltered Wireshark

• Advanced – Debug Recording (per request):

• PSTN traces for PSTN problems
• DSP traces for problems related to quality, Modem/Fax, DTMF detection, etc.
• IP traces for network issue

172
What is Syslog?

• Standard for forwarding log messages in an IP network

• A Syslog server is used to remotely record logging information
• Syslog information sent by the device is a collection of error, warning and system
messages that record every internal operation of the device
• Syslog messages are marked with a sequential number
• A Syslog server usually adds the time the message was received and the source IP
address

173
Syslog Message Format - Example
08:59:10.239 10.15.11.1 local0.notice [S=1974] [SID=a929c9:21:24] ( lgr_sbc)( 1773) Classification Succeeded - Source IP Group #2 (ITSP), - Dest Routing Policy #0
08:59:10.239 10.15.11.1 local0.notice [S=1975] [SID=a929c9:21:24] ( lgr_flow)( 1774) (#3091)SBCRoutesIterator::Change State From: InitialCSRRouting To : InitialRouting
08:59:10.240 10.15.11.1 local0.notice [S=1976] [SID=a929c9:21:24] ( lgr_flow)( 1775) (#3091)SBCRoutesIterator::Change State From: InitialRouting To : AlternativeRouting
08:59:10.241 10.15.11.1 syslog.error 4 packets missing
08:59:10.241 10.15.11.1 local0.notice [S=1981] [SID=a929c9:21:24] ( media_service)( 1780) ServicesMngr: Allocate SBC leg. current active: 1 and max is: 120
08:59:10.242 10.15.11.1 local0.notice [S=1982] [SID=a929c9:21:24] ( lgr_flow)( 1781) (#3091)SBCRoutesIterator::Next route found: Rule #1, Route by: IPGroup , IP Group ID: 1 (SfB), Live:True
08:59:10.242 10.15.11.1 local0.notice [S=1983] [SID=a929c9:21:24] ( lgr_sbc)( 1782) Routing Succeeded -IP2IPRouting Rule #1

Timestamp Message Sequence Number Unique SIP call session and device identifier
and IP Address In this example 4 messages Example: SID=a929c9:21:24
were lost <last 6 characters of device's MAC address>
<number of times device has reset>
<unique SID counter indicating the call session

Type of Message
Syslog generates the following types of messages:
• error: Indicates that a problem has been identified that requires immediate handling
• warning: Indicates an error that might occur if measures are not taken to prevent it
• notice: Indicates that an unusual event has occurred
• info: Indicates an operational message
• debug: Messages used for debugging

174
Enabling Syslog
• Enable Syslog
• Set Syslog Server IP
address and port
• Select the Syslog level
(recommended ‘Detailed’)

175
Message Log
• View the Syslog messages sent by the device

176
AudioCodes Syslog Viewer
• A Syslog application provided with the student utilities kit

177
AudioCodes Syslog Viewer
Stop/Start Writing Log Pause/Resume Logging Flow Diagram

Clear On-Line Syslog Zoom In/Out Disable Auto scroll Options Search Text

Open Saved File Open External Viewer Freeze Display Search Options Search

Number of Error and

Total Number of Warning Messages in
lines in the Log File the Log File

178
AudioCodes Syslog Viewer
• Syslog can be enabled simultaneously in several devices, reporting to the same Syslog Server

Syslog form different IP Addresses can be viewed

179
AudioCodes Syslog Viewer
• SIP/SDP messages are properly arranged to be easily identified for analysis

180
AudioCodes Syslog Viewer
• The SIP/SDP flow diagram can be viewed, refreshed and exported

SIP Flow
Diagram

181
AudioCodes Syslog Viewer
• The SIP/SDP <-> ISDN flow diagram can be viewed

182
AudioCodes Syslog Viewer
• Each arrow on the SIP/SDP flow diagram points to the right place in the trace
Highlighted

Points to

SIP Flow
Diagram

183
AudioCodes Syslog Viewer
• CDR info

184
AudioCodes Syslog Viewer
• Extracting Single Call

185
AudioCodes Syslog Viewer

Options

186
Lesson 9

SBC Wizard (Optional)

SBC Wizard – Overview

• User-friendly online tool designed to get AudioCodes Mediant SBC up and running
quickly and easily
• Step-by-step setup process, presenting the configuration options in a clear way
• Eliminates configuration errors and troubleshooting
• Easy to install Windows-based application
• Includes predefined configurations for a wide range SBC deployments (SIP trunk,
hosting etc.) with a variety of service providers and IP-PBXs
• Automatic software updates
• Built-in online help
• Available as web built-in and stand-alone application

188
Welcome Page

189
SIP Trunk Configuration

190
System Parameters

191
Interfaces

192
IP-PBX Parameters

193
ITSP Parameters

194
Number Manipulation

195
Remote Users (FEU)

196
Summary

197
Finish

198
Hands-on Lab 2

SBC Routing
Lesson 10

SBC Media Handling

Lesson Objectives

• After completing this lesson you’ll:

• Understand the way SBC handles media

• Know SBC media handling security features

• Be able to configure basic and advanced coder transcoding

201
SBC Media Handling

• Media Behavior – establishing, managing and terminating media sessions within SIP protocol
• Media sessions are created using SIP Offer/Answer mechanism and, if successful, the result is
a bidirectional media flow (Audio, Fax, Modem, DTMF)
• Each Offer/Answer may be negotiated on more than one media session of different types
(e.g., Audio and Fax, Audio and Video)
• In SIP dialog, multiple Offer/Answer transactions may occur
• Each transaction may change media session characteristics (IP address, port, coders, media
types and RTP mode)

202
Media Capabilities

• Media capabilities exchanged in Offer/Answer transactions:

• Media Types (Audio, Secure Audio, Video, Fax, Text)
• IP addresses and ports of media flow
• Media flow mode (send-receive, receive-only, send-only, inactive)
• Media Coders (coders and their characteristics used in each media flow)
• Other (standard or proprietary) media and session characteristics
v=0
o=AudiocodesGW 500661992 500661991 IN IP4 10.15.7.19
s=Phone-Call
b=CT:1000
t=0 0
m=audio 6010 RTP/AVP 18 2 96
c=IN IP4 10.15.7.19
a=ptime:20
a=sendrecv
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:2 G726-32/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15
203
SBC Media Security

• NAT Traversal
• SBC changes SDP address to its own

• Firewall and Security

• RTP Pin-Holes – only RTP packets related to a successful Offer/Answer negotiation
traverse the SBC
• Deep Packet Inspection (DPI) of the RTP that flows through the opened Pin-Holes
• Late Rogue Detection – once a dialog is disconnected, related Pin-Holes also disconnect

204
Media Handling Modes

1. No Media Anchoring
2. Media Anchoring without Transcoding (Transparent)
3. Media Anchoring with Transcoding

IP-PBX ITSP

205
No Media Anchoring

• Enables SBC signaling capabilities without handling RTP/SRTP (media) flow between
remote SIP UAs
• RTP packet flow does not traverse the SBC; instead, 2 SIP UAs establish a direct RTP/SRTP
flow between one another
• Signaling continues to traverse SBC with minimal intermediation and involvement to
enable SBC capabilities such as routing

SfB IP-PBX

SIP Signaling
Media 206
No Media Anchoring

• Unlike regular SBC implementation:

• Does not perform manipulation on SDP data (Offer/Answer transaction) such as ports,
IP address, coders
• Opening voice channels, and allocating IP Media ports are not required

• Benefits:
• Saves network bandwidth
• Reduces CPU usage (no RTP/SRTP handling)
• Avoids interference in SDP negotiation and header manipulation on RTP/SRTP

207
No Media Anchoring – SDP Offer/Answer
SBC IP address: Incoming SDP Offer Outgoing SDP Offer
LAN: 10.15.11.1
v=0 v=0
o=AC 256624978 46177966 IN IP4 10.15.7.18 o=AC 256624978 46177966 IN IP4 10.15.7.18
s=SBC-Call s=SBC-Call
t=0 0 t=0 0
m=audio 6080 RTP/AVP 8 18 96 m=audio 6080 RTP/AVP 8 18 96
c=IN IP4 10.15.7.18 c=IN IP4 10.15.7.18
a=sendrecv a=sendrecv
a=ptime:20 a=ptime:20
IP-PBX1 a=rtpmap:8 PCMA/8000 a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000 a=rtpmap:18 G729/8000 IP-PBX2
a=fmtp:18 annexb=no a=fmtp:18 annexb=no
a=rtpmap:96 telephone-event/8000 a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15,16 a=fmtp:96 0-15

Outgoing Answer Incoming Answer

10.15.7.18 10.15.7.21
v=0 v=0
o=AC 751920232 1406453965 IN IP4 10.15.7.21 o=AC 1805430843 446730239 IN IP4 10.15.7.21
s=SBC-Call s=SBC-Call
t=0 0 t=0 0
m=audio 6030 RTP/AVP 8 96 m=audio 6030 RTP/AVP 8 96
c=IN IP4 10.15.7.21 c=IN IP4 10.15.7.21
a=sendrecv a=sendrecv
a=ptime:20 a=ptime:20
a=rtpmap:8 PCMA/8000 a=rtpmap:8 PCMA/8000
a=rtpmap:96 telephone-event/8000 a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15 a=fmtp:96 0-15
208
No Media Anchoring – Global Parameter
• Enables the Direct Media feature for
all SBC calls, whereby SIP signaling is
handled by the device without
handling the media flow between
the user agents (UA)
• The RTP packets do not traverse the
device

209
No Media Anchoring – SIP Interface Level

• Enables direct media flow or media bypass between endpoints associated with the SIP
Interface for SBC calls
• Disable = (Default) Media Anchoring is employed, whereby the media stream traverses the device
• Enable = Direct Media is enabled; Media stream flows directly between the endpoints
• Enable when Same NAT = Direct Media is enabled Media stream flows directly between the
endpoints if they are located behind the same NAT

210
No Media Anchoring – IP Profile Level

• Direct media occurs between all UAs whose IP Profiles have the same tag value
(non-empty value)

211
Media Anchor without Transcoding (Transparent)

• Default media operation mode

• RTP traverses SBC with minimal RTP packet changes (without DSP resources)
• Solves SIP compatibility, NAT, Firewall and Security issues
• All ‘audio’ coders in received offer are included in the outgoing offer

IP-PBX ITSP

SIP Signaling
Media

212
Media Anchoring without Transcoding (Transparent)

• To direct RTP to flow through SBC, all IP address fields in the SDP are modified:
• IP-Address, Session and Version ID
• Session connection attribute
• Media connection attribute
• Media port number

213
Transparent – SDP Offer/Answer
SBC IP addresses: Incoming SDP Offer Outgoing SDP Offer
LAN: 10.15.11.1
WAN: 200.100.10.20
v=0 v=0
o=PBX 257389510 1288747123 IN IP4 10.15.7.18 o=AC 2140747574 1560030007 IN IP4 200.100.10.20
s=SBC-Call s=SBC-Call
t=0 0 t=0 0
m=audio 6090 RTP/AVP 8 18 96 m=audio 7030 RTP/AVP 8 18 96
c=IN IP4 10.15.7.18 c=IN IP4 200.100.10.20
a=sendrecv a=sendrecv
a=ptime:20 a=ptime:20
IP-PBX a=rtpmap:8 PCMA/8000 a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000 a=rtpmap:18 G729/8000 ITSP
a=fmtp:18 annexb=no a=fmtp:18 annexb=no
a=rtpmap:96 telephone-event/8000 a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15,16 a=fmtp:96 0-15

Outgoing Answer Incoming Answer

10.15.7.18 182.30.15.20
v=0 v=0
o=AC 2083229444 479911099 IN IP4 10.15.11.1 o=ITSP 977558519 1694195807 IN IP4 182.30.15.20
s=SBC-Call s=SBC-Call
t=0 0 t=0 0
m=audio 8050 RTP/AVP 8 96 m=audio 6040 RTP/AVP 8 96
c=IN IP4 10.15.11.1 c=IN IP4 182.30.15.20
a=sendrecv a=sendrecv
a=ptime:20 a=ptime:20
a=rtpmap:8 PCMA/8000 a=rtpmap:8 PCMA/8000
a=rtpmap:96 telephone-event/8000 a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15 a=fmtp:96 0-15
214
Media Anchoring with Transcoding

• SBC performs transcoding when there are no common coders between 2 UAs involved in a
specific session
• RTP traverses the SBC, and each leg uses a different coder or coder parameters
• Transcoding is performed when an SDP answer from one UA does not include any coder
included in offer previously sent by the other UA
• For transcoding, SBC can be configured to add media capabilities to UAs of a specific IP
Group, then perform transcoding when selected coder in answer SDP doesn’t appear in
original offer
• DSP resources are required

IP-PBX ITSP

SIP Signaling
Media A
Media B 215
Transcoding – SDP Offer/Answer
SBC IP addresses: Incoming SDP Offer Outgoing SDP Offer
LAN: 10.15.11.1
WAN: 200.100.10.20 v=0
v=0 o=AC 1996517464 72690348 IN IP4 200.100.10.20
o=PBX 1741090166 564924681 IN IP4 10.15.7.18 s=SBC-Call
s=SBC-Call t=0 0
t=0 0 m=audio 7040 RTP/AVP 8 18 9 96 Extended Coder
m=audio 6120 RTP/AVP 8 0 96 c=IN IP4 200.100.10.20
c=IN IP4 10.15.7.18 a=sendrecv
a=sendrecv a=ptime:20
IP-PBX a=ptime:20 a=rtpmap:8 PCMA/8000
a=rtpmap:8 PCMA/8000 a=rtpmap:18 G729/8000 ITSP
a=rtpmap:0 PCMU/8000 a=fmtp:18 annexb=no
a=rtpmap:96 telephone-event/8000 a=rtpmap:9 G722/8000
a=fmtp:96 0-15,16 a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15

Outgoing Answer Incoming Answer

10.15.7.18 v=0 182.30.15.20
v=0
o=ITSP 1152584458 712535162 IN IP4 182.30.15.20
o=AC 1338124955 1853106459 IN IP4 10.15.11.1
s=SBC-Call
s=SBC-Call
t=0 0
t=0 0
m=audio 6070 RTP/AVP 18 96
m=audio 8020 RTP/AVP 8 96
c=IN IP4 182.30.15.20
c=IN IP4 10.15.11.1
a=sendrecv
a=sendrecv
a=ptime:20
a=ptime:20
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=fmtp:18 annexb=no
a=rtpmap:96 telephone-event/8000
Transcoding a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15
a=fmtp:96 0-15
216
Number of Media Channels
• Number of Media Channels:
• Defines the maximum number
of DSP channels that can be
used for features requiring DSP
Resources
• The default is -1, meaning that
the maximum number of DSP
channels, as licensed in the
License Key ('DSP Channels') are
made available

217
SBC Virtual (VE), Cloud (CE) and Server (SE) Editions

• Optimized for SIP (Default)

• Optimization of CPU cores allocation to
improve SIP performance such as CPS
• Optimized for SRTP
• Optimization of CPU cores allocation to
improve maximum SRTP capacity
• Optimized for Transcoding
• Optimization of CPU cores allocation to
enable all DSP-required features, for
example, transcoding and voice in-band
detectors

218
Media Security
• Enables Secure Real-Time Transport Protocol (SRTP)

219
SRTP-RTP Transcoding
• SBC supports SRTP-RTP transcoding
• IP Profile parameter SBC Media Security Mode enforces
SBC legs to use SRTP/RTP
• Options:
• As is: SBC passes the media as is (default)
• Secure: SBC leg negotiate only SRTP media lines
• RTP media lines are removed from incoming SDP Offer/Answer
• Not Secure: SBC leg negotiate only RTP media lines
• SRTP media lines are removed from incoming Offer/Answer
• Both: Each Offer/Answer is extended (if it hasn’t been already)
to two media lines – one RTP and the other SRTP
• Offer Both - Answer Prefer Secured: The device prefers secured
media on the outgoing SDP answer

220
Extension Coders

• Extends the Media offering’s coders

• Extended coders are added only on the outgoing leg

Add G.729
G.711 + G.723 G.711 + G.723 + G.729

Group 2
Extended coder list contains:
G.711, G.729

221
Extension Coders
• Select from ‘Coder Name’ drop-down

222
Extension Coders
• Assign Coder Group to IP Profile

223
Allowed Coders Group

• Determine coders to be used for a specific SBC leg

• Excluded coders are removed from the SDP offer

Remove G.723
G.723 + G.711 G.711

Group 2
Allowed Coders Group contains:
G.711

224
Allowed Coders – Incoming Offered

• At least one incoming coder must be in the Allowed Coders Group

Call Dropped

G.723 + G.711

Group 1 Group 2
Allowed Coders Group contains: Allowed Coders Group contains:
G.726 G.711
G.723

Remove G.723
G.723 + G.711 G.711

Group 1 Group 2
Allowed Coders Group contains: Allowed Coders Group contains:
G.711 G.711
G.726 G.723
225
Allowed Audio Coders Group

226
Assign Allowed Audio Coder Group to IP Profile

227
Allowed Coders Mode

• Restriction
• Checks for a match between Allowed Coders of the incoming group and the offered coders
• At least one must match
• SBC removes all coders arriving in incoming SDP except matched coders in outgoing
Allowed Coders Group (only coders common to offered SDP and Allowed Coders Group are
used)
• Preference
• SBC reprioritizes coders based on Allowed Coders Group
• The coders received in the SDP offer are listed after the Allowed Coders
• Restriction and Preference
• Enables both, removes disallowed coders and reprioritizes coders

228
Allowed Coders Mode
• Determines mode of Allowed Coders feature
• Impacts Extension Coders priority
• Configured in IP Profile Settings (SBC Media Section)

229
Change Coder Priority

• Allowed Coders used to prioritize coder

• Coder with highest priority will be first listed

Group 2 - Allowed coder list:

G.729
G.711
G.723
Mode: Restriction and Preference

1 G.723 + G.711 + G.722 G.711 + G.723 + G.729 2

Answer Coder Answer Coder
G.711 (200 OK) Group 2 - Extended G.711 (200 OK)
Coder:
G.729

230
Extended Coders Behavior
• Orders the coders in the outgoing SIP message
• Applicable only if an Extension Coders Group
is assigned to the IP Profile
• Doesn’t Include Extensions: Extension coders
are added at the end of the coder list (default)
• Include Extensions: Extension coders arranged
according to order in the Allowed Coders Group
table

231
Change Coder Priority – Include Extensions

• Allowed Coders used to prioritize coder

• Based on the coder list the Outgoing Offering will send
• Coder with highest priority will be first listed

Group 2 - Allowed coder list:

G.729
G.711
G.723
Mode: Restriction and Preferences
Mode: Include Extensions

1 G.723 + G.711 + G.722 G.729 + G.711 + G.723 2

Answer Coder Answer Coder
G.723 (200 OK) Group 2 - Extended Coder: G.729 (200 OK)
G.729

232
Coder Transcoding Flow
Server 1 Server 2
SBC

Extension
Allowed Coders Extension Allowed
Coders (not use) Coders Coders
Call 1 IP Group 1 IP Group 2
IP Profile IP Profile

Call 2
Allowed Extension Extension Allowed
Coders Coders Coders Coders
(not use)

233
Media Handling Example 1

• IP-PBX supports G.711A-law and G.729

• ITSP supports only G.729
• No special media limit

IP-PBX: ITSP:
G.711A-law G.729
G.729

234
Media Handling Example 1

• Special coder configuration not necessary

IP-PBX SBC ITSP

G.711A + G.729
No Change
G.711A + G.729

G.729
No Change
G.729

235
Media Handling Example 2

• IP-PBX supports G.711A-law and G.729

• ITSP supports only G.729 and G-711A-Law
• Issue: ITSP would like to works only with G.729 (it required not to send G.711A-law)

IP-PBX: ITSP:
G.711A-law G.729
G.729 G711A-Law

236
Media Handling Example 2

• To avoid G.711A negotiation, remove it from the outgoing offer and allow just G.729

237
Media Handling Example 2

• In ITSP’s IP Profile, assign the Allowed Audio Coders Group, to offer only G.729

238
Media Handling Example 2

IP-PBX SBC ITSP

G.711A + G.729
Remove
G.711A
G.729

G.729
No Change
G.729

239
Media Handling Example 3

• IP-PBX supports only G.711A-law

• ITSP supports G.729
• Issue: There isn’t a common coder

IP-PBX: ITSP:
G.711A-law G.729

240
Media Handling Example 3
• Add G.729 and G.711A to the outgoing offering:
• Create a Coders Group (AudioCodersGroup_2) and select G.729 and G.711A from the drop-down

241
Media Handling Example 3
• In ITSP’s and the IP-PBX’s IP Profiles, assign the Extension Coders Group
(AudioCodersGroup_2), to add the miss coders to the offering

242
Media Handling Example 3

IP-PBX SBC ITSP ITSP SBC IP-PBX

G.711A G.729
Add Add
G.729 G.711A

G.711A + G.729 G.729 + G.711A

G.729 G.711A

Transcoding Transcoding
G.711A G.729

243
Media Handling Example 4

• IP-PBX supports G.711A-law, G.711U-law and G.723

• ITSP supports only G.729, G711A-law and G.726
• Issue:
• Add G.729 and G.726 to the outgoing offering
• Remove G.711U-law and G.723 from the outgoing offering
• Change the coders order

IP-PBX: ITSP:
G.711A-law G.729
G.711U-law G.711A-law
G.723 G.726

244
Media Handling Example 4

• Create an Allowed Audio Coders Group and select G.729, G.711A and G.726 coders

245
Media Handling Example 4
• Add G.729 and G.726 to the outgoing offering:
• Create Coders Group (AudioCodersGroup_2) and select G.729 and G.726 coders

246
Media Handling Example 4
• ITSP IP Profile:
• Extension Coders Group (AudioCodersGroup_2), to add G.729 and G.726 to the outgoing
• ITSP Allowed Audio Coders Group, to remove G.711U and G.723
• Allowed Coders Mode = Restriction and Preference, to perform both
• Media Settings:
• Extended Coders Behavior: Include Extensions

247
Media Handling Example 4

IP-PBX SBC ITSP

G.711A+G.711U+G.723
Add
G.729 + G.726

Remove
G.711U+G.723
G.729+G.711A+G.726

G.729

Transcoding
G.711A

248
Hands-on Lab 3

SBC Transcoding
Lesson 11

SBC Number & Message Manipulation

Lesson Objectives

• After completing this lesson, you’ll:

• Understand the reasons for Number & Message Manipulation

• Know how to perform Number & Message Manipulation

251
Reminder: CMR Process

Reject Dialog

No match No match No match

Leg1
Incoming Outgoing
SIP Interface Classification Routing
Message Message
Leg2
Pre-Parsing
Manipulation Inbound Outbound
(SIP Interface) Message Manipulation Set Message Manipulation Set
(IP Group) (IP Group)
Pre-Classification
Manipulation
(SIP Interface)
Inbound Outbound
Source and/or Destination Source and/or Destination
Number Manipulation Number Manipulation

(Optional)

252
SBC Number Manipulation

• Done according to manipulation tables, similar to what’s done for routing

• Inbound manipulations are done before routing
• Inbound manipulation rule matching can be done by:
• Source IP Group
• Source and/or destination host and/or user prefixes
• Outbound manipulations are done after routing
• Outbound manipulation rule matching can be done by
• Destination IP Group
• Source IP Group
• Source and/or destination host and/or user prefixes
• Message Condition
• Tags
• Calling Name Pattern

253
SBC Inbound Number Manipulations

• Configure rules to manipulate SIP URI user part (source and destination)
of inbound SIP dialog requests
• Rules can be applied to user-defined SIP request type (INVITE,
SUBSCRIBE and/or REGISTER)
• Manipulation of Destination URI user part performed on these SIP
headers:
• Request URI
• To
• Remote-Party-ID (if it exists)
• Manipulation of Source URI user part is performed on these SIP
headers:
• From
• P-Asserted (if it exists)
• P-Preferred (if it exists)
• Remote-Party-ID (if it exists)

254
SBC Inbound Number Manipulations

255
SBC Inbound Number Manipulations – Match Area
• Name
• Additional Manipulation: use same matching
condition as row listed above
• Manipulation Purpose: Defines the purpose
of the manipulation

• Request Type: SIP request type to which the

rule is applied
• Source IP Group: the IP Group from where the
incoming INVITE is received
• Source Username Pattern
• Source Host
• Destination Username Pattern
• Destination Host

256
SBC Inbound Number Manipulations – Action Area

• Manipulated Item: Determines whether the Source or Destination SIP URI user part is
manipulated
• Remove From Left
• Remove From Right
• Leave From Right: Defines the number of characters that you want retained from
the right of the user part
• Prefix to Add
• Suffix to Add

257
SBC Outbound Number Manipulations

• Configure rules to manipulate SIP URI user part (Source and Destination)
of outbound SIP dialog requests
• Rules can be applied to user-defined SIP request type (INVITE,
SUBSCRIBE and/or REGISTER)
• Manipulation of Destination URI user part performed on these SIP
headers:
• Request URI
• To
• Remote-Party-ID (if it exists)
• Manipulation of Source URI user part is performed on these SIP
headers:
• From
• P-Asserted (if it exists)
• P-Preferred (if it exists)
• Remote-Party-ID (if it exists)

258
SBC Outbound Number Manipulations

259
SBC Outbound Number Manipulations Match Area

• Same parameters as inbound, except for:

• Destination IP Group
• IP Group where the INVITE is being sent
• Calling Name Pattern
• Pattern of the calling name (Caller ID)
Appears in the SIP From header
• Message Condition
• Assigns a Message Condition rule as a
matching characteristic
• Reroute IP Group
• Defines the IP Group that initiated (sent) the
SIP redirect response. The parameter
functions together with the 'Call Trigger'
parameter

260
SBC Outbound Number Manipulations Action Area
• Same parameters as in Inbound except for:
• Manipulated Item
• Determines whether the Source, Destination SIP URI or Calling Name user part is manipulated
• Privacy Restriction Mode
• Determines user privacy handling by restricting source user identity in outgoing SIP dialogs

Transparent (default)
Don’t change privacy
Restrict
Remove Restriction

261
Message Manipulation

262
Why SIP Message Manipulation?
• Key SBC requirements:
• Each customer has distinct requirements for SBC fundamentals of Security, Interworking and Interoperability

• Multiple devices support SIP but do not interwork because of differences in how the protocol is implemented
or interpreted

• Manipulation customizes SIP messaging on either side to what devices in that network segment expect

• ITSPs or enterprises may have policies for which SIP messaging fields should be present before a SIP call
enters their network

• Resolves incompatibilities between SIP devices inside the enterprise network or between networks

• Self-service programmable tool that saves the time required to develop a software ‘patch’ for each customer

263
Message Manipulation

• A combination of rules, specified as a set or group of actions, to be attached to an IP Group

• Message Manipulation rules can be applied pre-classification or post-classification
• Pre-classification Process:
• On incoming SIP dialog-initiating messages (e.g., INVITE) prior to the classification process
• The Manipulation Set ID is assigned to the SIP Interface on which the call is received
• Post-classification Process:
• On inbound and/or outbound SIP messages after the call has been successfully classified
• The Manipulation Set ID is assigned to the relevant IP Group in the IP Group table

264
Inbound/Outbound Manipulation

• IP Group pages display 2 fields:

• Inbound manipulation set: Set of rules to apply to incoming messages (from this IP Group)
• Outbound manipulation set: Set of rules to apply to outgoing messages (to this IP Group)
• Applied per message and not per call
• For example:
• IP Group 1 has 2 Message Manipulation Sets, one for Outbound and one for Inbound, for the same call:
• Incoming INVITE goes through Inbound MMS
• 100, 180 and 200 OK responses go through Outbound MMS
• IP Group 2 has 2 Message Manipulation Sets, one for Outbound and one for Inbound, for the same call:
• Outgoing INVITE goes through Outbound MMS
• 100, 180 and 200 OK responses go through Inbound MMS

Invite Invite

100 Try IP Group 1 – IP-PBX 100 Try

Inbound Message Manipulation Set = 1
180 Ringing Outbound Message Manipulation Set = 2 180 Ringing
200 OK 200 OK
IP-PBX IP Group 2 - ITSP ITSP
Inbound Message Manipulation Set = 3
Outbound Message Manipulation Set = 4 265
Message Manipulation Configuration

• Message Manipulation Table used to configure rules and relate them to a set of rules
• Rule configuration enables adding, modifying or removing most message content
• A rule can be conditionally applied
• Removing/Adding mandatory SIP Headers is not allowed, modifying Mandatory SIP Headers
is allowed, performed only on requests to initiate new dialogs:
• Mandatory Headers in invite message include:
• Request URI, To, From, Contact, Via, CSeq, Call-Id and Max-Forwards
• Mandatory SDP headers in invite message include:
• v, o, s, t ,c, m
• When multiple rules apply to the same header, the second rule applies to the first rule’s
result string

266
Message Manipulation – Manipulation Set ID

• Post-Classification Process: message manipulation is done on inbound and/or outbound SIP

messages after the call has been successfully classified
• Each Manipulation Set rule contains a Manipulation Set ID
• Same Manipulation Set ID can be configured for multiple rules
• Assigned to IP Group for inbound and/or outbound messages

267
Message Manipulation – Syntax

268
Message Manipulation – Message Type
• The Message Type to manipulate General Match Action
• Rule applied only if this is the message type Manipulation Row Message Action Action Action
Name Condition
Set ID Role Type Subject Type Value

• Syntax: method.message-role.response-code

• Method
• Invite, Subscribe, Refer – rule applies only to specific messages
• Unknown – Unknown methods also allowed
• Any (or empty) – No limitation on method type
• Message-role
• Request – Rule applies only on requests
• Response – Rule applies only on Response message Examples:
• Response-code • Invite
• 3xx – Any redirection response • Invite.Request
• 200 – Only 200 OK response • Invite.Response.180
• Register
• Any.Response.3xx

269
Message Manipulation – Condition
• Rule-matching criteria (conditions) General Match Action
• If criterion (condition) exists, rule applies Manipulation Row Message Action Action Action
Name Condition
Set ID Role Type Subject Type Value

• Syntax: <option type> <match-type> match-condition

• Editor Options:
• Header, Body, Param, Var, SrcTags, DstTags, Message, Func
• Match-type
• “==” , “!=” , “>” , “<” , “>=” , “<=” , “contains” , “!contains”, “exists”, “!exists”, “len>”, “len<“, “len==“,
sufix, prefix, insubnet, !insubnet, “regex”
• Logical-expression
• “AND” – Logical And
• “OR” – Logical Or
Examples:
• header.contact contains ‘audiocodes’
• header.from.url.user != ‘100’ OR header.from.url.user != ‘200’
• header.from.url.user == ‘100’ AND header.to.url.user == ‘200’
• Body.sdp !exists
• Header.P-Asserted-Identity regex (.*)(<SIP:)(.*)(>)
270
Message Manipulation – Action Element
• Header on which manipulation is performed
• Message element that changes General Match Action
Manipulation Row Message Action Action Action
Name Condition
Set ID Role Type Subject Type Value

• Syntax: ("header"/"body").message-element-name [.header-index] [.(sub-element/sub-element-param)]

• Editor Options:
• Header, Body, Param, Var, Message
• Message-element-name – Name of message element
• From, To, Application/SDP
• Header-index – Header's index in the list of headers (if several same-type headers arrive)
• 0 or none = first header
• 1 = second header
• 4 = fifth header Examples:
• Sub-element – Header's element • Header.History-Info.1
• User, Host • header.from
• header.contact.url.user
• header.referred-by.url.host

271
Message Manipulation – Action Type

General Match Action

Manipulation Row Message Action Action Action
Name Condition
Set ID Role Type Subject Type Value

• The action to be performed on the element

• Syntax:
• Add = adds a new header (or parameter or body)
• Remove = removes a header (or parameter or body)
• Modify = sets the element to the new value (replace the entire element)
• Normalize = removes unknown SIP message elements before forwarding the message
• Add Prefix = adds the value at the beginning of the element string
• Remove Prefix = removes the value from the beginning of the element string Recommended:
• Add Suffix = adds the value at the end of the element string Regular expression
• Remove Suffix = removes the value from the end of the element string

272
Message Manipulation – Action Value

• Value to use in the manipulation General Match Action

Manipulation Row Message Action Action Action
Name Condition
Set ID Role Type Subject Type Value

• Syntax: (string/message-element/param)("+"(string/message-element/param))

• String
• ‘test.local’, ‘<sip:[email protected]:5067>’
• Message-element
• header.from.user, header.contact.url.user
• Param
• param.ipg.src.user, param.call.dst.host Examples:
• Combination • '3600‘
• param.ipg.dst.host + ‘.com’ • ‘Bob’
• header.to.url.host
• 'Mike@'+Header.To.URL.Host.Name
• Param.IPG.Dst.User+'com'
273
Message Manipulation – Row Role

General Match Action

Manipulation Row Message Action Action Action
Name Condition
Set ID Role Type Subject Type Value

• Determines which condition to use for this table row’s rule

• 2 options:
• Use Current Condition = use only the condition entered in this row
• Use Previous Condition = use the condition of the rule configured directly above this row
(to perform the defined action)
• When multiple manipulations rules apply to the same header, the next rule applies
to the result string of the previous rule

274
SIP Message Normalization

• Feature that can be enabled per manipulation rule when Action Type is set to "Normalize“
• Removes unknown or non-standard SIP message elements before forwarding the message
• These elements can include SIP headers, SIP header parameters, and SDP body fields
• The device normalizes the following SIP elements:
• Message:
• Removes unknown or non-standard SIP headers
• URLs:
• User part is normalized
• Headers:
• Unknown header parameters are removed
• URLs are normalized
• SDP Body:
• Removes unnecessary SDP fields (except m=, v=, o=, s=, c=, t=, and r=)
• Removes unknown media with all its attributes

275
SIP Message Normalization – Examples

General Match Action

Manipulation Message Action Action
Name Row Role Condition Action Type
Set ID Type Subject Value
Use Current
Example 1 1 invite header.to Normalize
Condition
Use Current
Example 2 4 invite message Normalize
Condition

• Example 1:
• To header before normalization:
• To: <sip:1-800-300-500;[email protected];user=phone;UnknownUrlParam>
• To header after normalization:
• To: <sip:[email protected];user=phone>
• Example 2:
• All the headers to be normalized
276
SIP Message Normalization – Body Example
General Match Action
Manipulation Set
Name Row Role Message Type Condition Action Element Action Type Action Value
ID
Use Current
Example 3 4 invite body.sdp Normalize
Condition

SDP before normalization SDP after normalization

v=0 v=0
o=SMG 791285 795617 IN IP4 10.33.2.17 o=SMG 791285 795617 IN IP4 10.33.2.17
s=Phone-Call s=Phone-Call
i=A Seminar on the session description protocol c=IN IP4 10.33.2.26
u=http://www.example.com/seminars/sdp.pdf t=0 0
[email protected] (Jane Doe) m=audio 6000 RTP/AVP 8
c=IN IP4 10.33.2.26 a=rtpmap:8 pcma/8000
t=0 0 a=sendrecv
m=unknown 6000 RTP/AVP 8 a=ptime:20
a=unknown
a=sendrecv
a=ptime:20
m=audio 6000 RTP/AVP 8
a=rtpmap:8 pcma/8000
a=sendrecv
a=unknown
a=ptime:20
277
SIP Message Manipulation – Example Rules

278
SIP Message Manipulation – Example Rules

279
Example: Change Referred-By to Diversion
• ITSP expects Diversion and not Referred-By

280
SIP Interface Pre-Classification

• Assigned a Message Manipulation Set ID to the SIP Interface table

• Applied SIP Message Manipulation rules on incoming SIP initiating-dialog request messages
received on this SIP Interface, prior to the Classification process
• By default, no Message Manipulation Set ID is defined

281
SIP Interface Pre-Parsing Manipulation Sets

• Messages can be manipulated in their original format (plain text) as received from
the network
• Pre-Parsing Manipulation is done before Pre-Classification Manipulation and
Classification
• Pre-parsing rules assigned to the SIP Interface
• Regular expression (regex) is used to search for (match) in the incoming message as
well as to replace the matched pattern
• Parent – Child Table type

282
SIP Interface Pre-Parsing
• Messages can be manipulated in their original format (plain text) as received from the network
• Pre-Parsing Manipulation is done before Pre-Classification Manipulation and Classification
• Pre-parsing rules assigned to the SIP Interface
• Regular expression (regex) is used to search for (match) in the incoming message as well as to replace the matched
pattern
• Parent – Child Table type

283
Lesson 12

SBC Security
Lesson Objectives

• After completing this lesson you’ll:

• Be acquainted with enterprise security threats

• Know SBC security capabilities

285
Introduction

• VoIP networks must be secured against unauthorized access (similarly to IP networks)

• Threats endangering enterprise network security:
• Denial of Service (DoS) attacks
• Network abuse and fraud
• Viruses and malware
• Overload events
• Identity theft
• Eavesdropping
• Spam over Internet Telephony (SPIT)
• These threats can exist at the following IP network border points:
• Interconnect: SIP trunks to ITSPs
• Trusted access: Private, managed IP
• Un-trusted access: Unmanaged

286
Threats

• Denial of Service (DoS) attacks

• Malicious attacks designed to cripple your VoIP network by overloading it with calls or
service requests

• Overload events
• Non-malicious periods of intense activity can also cause an increase in call signaling rates
that exceed what your infrastructure can support

• Network abuse and fraud

• An unauthorized user gaining access to your VoIP network by mimicking an authorized
user or seizing control of a SIP proxy and initiating outbound calls for free

• Viruses and malware

• Computer viruses, worms, trojan horses, and other malware can degrade performance or
completely disrupt service 287
Threats (cont.)

• Identity theft
• Phishing and "man-in-the-middle" can be used to acquire caller identification information
to gain unauthorized access to services and information

• Eavesdropping
• The ability to listen to or record calls on VoIP networks - personal privacy violations

• Spam over Internet Telephony (SPIT)

• The delivery of unsolicited calls or voicemails can inundate networks, annoy subscribers,
and diminish the usefulness of VoIP networks

288
Security Solution

• AudioCodes SBC provides a comprehensive package of security features that

handles the following two main security areas:

• Securing the Service

• Secures the call services it provides by implementing separation and defense of different
network entities (e.g., SIP Trunk, softswitch, and users)
• Accomplished by the following:
• Physical separation of networks
• Defense against attacks on the SBC regarding SIP signaling and media
• IP Groups per entity

• Securing the SBC Itself

• Management
• Ensuring that only authorized users can access the management interface

289
SBC Security Features

• Network
• VLAN Separation
• Firewall
• Topology Hiding
• SBC
• Advanced SIP Firewall Filtering Rules (Classification rules)
• Advanced Call Admission Control (CAC) to enforce limits
• Intrusion Detection System (IDS)
• SIP Protection – Filter methods
• Signaling Security – TLS
• Media Security – SRTP
• Block Unregistered Users
• Management
• HTTPS
• SSH
• SNMP
290
Enhanced Multi-Tenant Security Support

• Non-bleeding partition per tenant running on a single shared physical entity

• Dedicated Vlan/SRD for each customer
• Dedicated Routing Policy per customer
• Call Admission Control (CAC) effectively allocated per customer

291
Topology Hiding

• Limits internal topology information displayed to external parties

• Enterprise equipment IP addresses (proxies, gateways and application servers) can be
hidden from outside parties
• Provided by implementing B2BUA leg routing
• Strips all incoming SIP Via Header and creates a new Via value for the outgoing message
• Each leg has its own Route/Record Route set
• Generates a new SIP Call-ID header value for each leg
• Changes the SIP Contact header to the SBC’s own address
• Modifies the source IP address of the SIP message
• Modifies the SIP Header (Request-URI, To, and From )

292
Topology Hiding – Example
• Host name in the From header of Invite messages received from the IP Group or the Request-
URI host name used in Invite and Register messages sent to the IP Group

293
Implement Layer 3/4 (Network) Firewall

• Create rules that allow only known sessions

• Define rules as specific as possible
• Add firewall rules per network interface
• Limit traffic (for specific protocols, and/or specific port)
• Limit ICMP packets (avoid ICMP floods)
• Define bandwidth limitation per rule
• Block all other traffic
• This rule must be the last rule listed in the table

• SBC default:
• If the end of the table is reached without a match, the packet is accepted
294
Layer 3/4 Traffic Firewall Rules – Example

Defines the firewall action to be performed

upon rule match
"Allow" = (Default) Permits these packets
"Block" = Rejects these packets

295
Call Admission Control

• Prevents overload of VoIP (overload protection) traffic

• Regulates VoIP traffic volume
• SIP-dialog rate control using the “token bucket” mechanism
• Can be applied to:
• SRD
• SIP Interface
• IP Group
• Per user within these SIP configuration entities

296
Encryption

• Secure Signaling:
• TLS: TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3
• DTLS: DTLS 1.0 and DTLS 1.2
• Re. Handshake
• Mutual authentication
• Certificate Revocation Checking
• Verify Subject Alt Name against the provisioned proxy name
• Secure RTP (SRTP):
• RFC 4568 (voice, video)
• SRTP enforcement

297
Secure SIP using TLS

• TLS-over-TCP protocol to best secure the device's SIP signaling connections

• TLS provides encryption and authentication of SIP signaling for your VoIP traffic
• TLS Contexts Table
• The TLS Contexts Table lets you configure up to 100 (device dependent) TLS certificates
• The device is shipped with a default TLS Context (ID 0 and string name "default")
• Enables to use different TLS certificates for IP Groups
• Assigning a specific TLS Context to the Proxy Set and/or SIP Interface associated with the
IP Group

298
Secure Media (RTP) Traffic

• Use Secured RTP (SRTP) for encrypting the media

• SRTP is enforced on the SBC legs, using IP Profiles

299
Block Unused SIP Ports

• Each port is vulnerable to attack

• Select port 0 in SIP Interfaces Table when transport type unused
• Use uncommon ports (not 5060) if possible

300
Classification Table
• Define Strict Classification Rules
• Define a combination of rules to guarantee correct sender identity
• Use Condition rules to increase the strictness of the Classification process
• If the IP address of the IP Group is known, it is recommended to employ classification based on a
Classification rule, where the rule is configured with not only the IP address, but also with SIP message
characteristics to increase the strictness of the classification process
• If the IP address is unknown, in other words, the Proxy Set associated with the IP Group is configured
with an FQDN, it is recommended to employ SIP dialog classification based on Proxy Set

301
Condition Table

• Enables enhancing the process of classifying using SIP Message headers

• Rules later assigned to Classification Table rules
• SIP message conditions configured using the same syntax (match-condition) as in the
Message Manipulation Table

302
Block Unclassified Incoming Calls
• Block incoming calls that cannot be classified to an IP Group, or based on the rules in the Classification table
• If unclassified calls aren’t blocked, they’re sent to the default SRD/IP Group, so illegal calls can pass
• SBC rejects unclassified calls by default

303
Message Policy Table
• SIP message policy rules for blocking (blacklist) unwanted incoming SIP messages or allowing
(whitelist) receipt of desired messages
• Blacklist and whitelist for defined methods and for defined bodies
• Assigned to SIP Interfaces associated with the relevant IP Groups

304
Intrusion Detection System (IDS)

• The device's Intrusion Detection System (IDS) feature detects malicious attacks
on the device
• The IDS configuration is based on IDS Policies/set of rules
• Each rule defines a type of malicious attack to detect and the number of
attacks (alarm threshold)
• SNMP traps send to notify of malicious activity and/or whether an attacker has
been added to or removed from the blacklist

• IDS Tables:
• Global Parameters – enables IDS
• Policy Table – defines IDS Policies and Rules
• Match Table – assigns the IDS Policies to targets under attack (SIP Interface) and/or
source of attacks (Proxy Set and/or subnet address)

305
Registration Restriction Control

• Limiting Number of Registrations:

• Limits the number of users that can register with the device per
• IP Group
• SIP Interface
• SRD
• By default, no limitation exists (license dependent)

306
Limit SBC Registered Users per IP Group

307
Limit SBC Registered Users per SIP Interface

308
Limit SBC Registered Users per SRD

309
Registration Restriction Control

• Ensure that calls from unregistered users are blocked (rejected) and that calls from
only registered users are allowed

310
Block Unregistered Users
• Blocks unregistered users’ calls per SRD or SIP Interface
• 503 Server Internal Error response message sent
• By default, calls from unregistered users are not blocked (Accept All)

311
Block Unauthenticated Registration
• Blocks unauthenticated users from registering into the SBC’s database per SRD or SIP Interface
• SBC then only registers users authenticated by a SIP proxy server

312
Define Strict IP to IP Routing Rules
• Define specific IP2IP routing rules accurately and correctly avoiding asterisks (*) if possible
• Route Source IP Group to Destination IP Group correctly to achieve the required call outcome
• Inaccurate or weak routing rules can easily result in Service Theft

313
Secure Management Connections

• Change management Username and Password

314
Secure Management Connections (cont.)
User levels: Defines a Secure Socket Shell (SSH) Defines the duration (in days) of
Monitor public key for RSA public-key the validity of the password. Allows the same user account to
Administrator authentication (PKI) of the remote 0 means that the password is log in to the device from different
Security Administrator user when logging into the device's always valid. sources (i.e., IP addresses).
Master CLI through SSH The default is 90

Defines the duration (in minutes) of

Web inactivity of a logged-in user,
after which the user is automatically
Defines the duration (in seconds) for logged off the Web interface.
which the user is blocked when the user
exceeds a user-defined number of failed
New = (Default) User is required to change its password on the next login. login attempts
Valid = User can log in to the Web interface as normal.
Failed Login = This state is automatically set for users that exceed a user-defined
number of failed login attempts
Inactivity = This state is automatically set for users that have not accessed the Web
interface for a user-defined number of days
315
Secure Management Connections (cont.)

• Define HTTPS Only

• Add Firewall rules that block Port 80
• Set a short Session Timeout

316
Authentication Server

Enable RADIUS login

Enable LDAP login

317
Secure Management Connections (cont.)

• Secure Telnet and SSH sessions

318
Secure Management Connections (cont.)

• Define Authorized WEB, Telnet and SSH Access List

319
Secure Management Connections (cont.)

• Secure SNMP interface access

320
Hands-on Lab 4

SIP Header Manipulation

Lesson 13

Digital Gateways Basic Configuration

Objectives

• After completing this lesson, you will:

• Know how to configure the basic gateway parameters

323
Configuring TDM Bus
• TDM Bus Clock Source (Network/Internal)
• Clock source on which the gateway synchronizes
• TDM Bus Local Reference
• Determines the Trunk ID used to synchronize the
gateway’s clock when using external clock
• TDM Bus PSTN Auto Clock Reverting
• Enables the PSTN trunk Auto-Fallback Reverting
feature
• TDM Bus PSTN Auto FallBack Clock
• Disable = Recovers the clock from the E1/T1 line
defined by parameter ‘TDM Bus Local Reference’
• Enable = Recovers the clock from any connected
synchronized slave E1/T1 line
• Apply only if the TDM Bus Clock Source parameter is
set to Network and TDM Bus PSTN Auto Clock
Reverting is set to Enable
• PCM Law Select (A-law/µ-law)
• Usually A-Law for E1 and µ-Law for T1
324
Configuring Key Trunk Parameters

• Protocol Type
• Sets the PSTN protocol to be used for this trunk
• If ‘Protocol Type’ of all PRI trunks displays 'None', select the protocol type (E1/T1) for a single
trunk and reset the gateway
• Only after the reset you will be able to continue configuring the trunks
• Clock Master
• Determines Tx clock source of E1/T1 line
• Recovered (0) = Generate clock according to Rx of E1/T1 line
• Generated (1) = Generate clock according to internal TDM bus
• ISDN Termination Side
• User side = ISDN User Termination Side (TE)
• Network side = ISDN Network Termination Side (NT)
• Select 'User side' when the PSTN or PBX side is configured as 'Network side’ and
vice-versa

325
Configuring Key Trunk Parameters

326
Configuring Key Trunk Parameters

327
Digital Trunk Points of Information

• All Trunk spans must be of the same Line Type (all E1 or all T1)
• Different flavors of same Line Type (E1/T1) can be configured on available Trunks
(e.g., E1 Euro ISDN and E1 QSIG)
• Trunks are referenced in ini file and Syslog messages as ‘0-7’ regardless of whether
physical Trunks are numbered ‘1-8’

E1 Euro ISDN E1 QSIG

328
Trunk Group Table – E1/T1 and/or FXS

• Used to assign Trunk Groups, Profiles and logical telephone numbers to the
gateway's channels
• Trunks or B-Channels that are not defined are disabled

329
Trunk Group Settings

• Determines the method by which new calls are assigned to channels within each Trunk
Group ID
• If such a rule doesn't exist (for a specific Trunk Group), the global rule defined by the
Gateway General Settings’ Channel Select Mode parameter applies

330
Coder Group Table
• Allows you to configure coders for the Gateway
• The first coder in the list has the highest priority
• A coder can appear only once in the table
• The Packetization Time determines how many coder payloads are combined into a single RTP packet
• The Gateway always uses the packetization time requested by the remote side for sending RTP packets
• Enable/Disable the Silence Suppression option per coder

331
Outbound IP Routing Table (Tel2IP)
• Used to route outgoing calls from Tel to IP

332
IP to Trunk Group Routing (IP2Tel)
• Used to route incoming IP calls to trunk groups
• Route the call to Trunk Group ID

333
Number Manipulation

• Manipulation can occur before or after a routing decision is made

• Number Manipulation tables for incoming and outgoing calls are
provided
• Used to modify Destination and Source telephone numbers so that
calls can be routed correctly
• Using Manipulation Tables, you can:
• Allow/Restrict Caller ID information
• Assign NPI/TON to IP-to-Tel calls

334
Routing Mode Parameters

• The Tel to IP Routing Mode and IP to Tel Routing Mode parameters determine the
order between routing calls to Trunk Groups and manipulation of the number
• Route calls before manipulation (default)
• Route calls after manipulation

335
Lesson 14

SBC Survivability
Lesson Objectives

• After completing this lesson you’ll:

• Understand the survivability concept
• Configure the SBC for survivability support
• Configure the SBC for PSTN Fallback

337
SBC Survivability

• Three survivability features:

1. Routing calls to alternative routes such as:
• ITSP
• IP-PBX
2. Routing calls between user agents in the local network using a dynamic DB
(built according to registrations of SIP user agents)
3. Fallback to the PSTN based on E1/T1 connection (Hybrid devices)

338
SBC Survivability

SIP Signaling + Media (RTP)

ITSP Health SIP Check

IP to PSTN Calls in WAN isolation

WAN ITSP1
Internal Calls in WAN isolation

2
ITSP2

3
E1/T1
PSTN
4
Enterprise
LAN

339
Survivability Methodology

• Based on the IP-to-IP Routing Table

• Alternative Route Options:
• Route Row (default):
• The first route – main routing rule. SBC first attempts to route the call to it
• Alt Route Ignore Inputs:
• If the call cannot be routed to the Route Row, the call is routed to this alternative route
• This route will apply regardless of incoming SIP dialog's input characteristics
• Alt Route Consider Inputs:
• If the call cannot be routed to the Route Row, the call is routed to this alternative route
• Apply only if the incoming SIP dialog matches this routing rule's input characteristics
• Group Member Ignore Inputs:
• This routing rule is a member of the Forking routing rule
• The incoming call is also forked to the destination of this routing rule
• The matching input characteristics of the routing rule are ignored
• Group Member Consider Inputs:
• This routing rule is a member of the Forking routing rule
• The incoming call is also forked to the destination of this routing rule only if the incoming call matches this
rule's input characteristics
340
Survivability Methodology

The alternative routing entry must be defined

in the next consecutive table entry index

341
Define Alternative Reasons Set Table
• The Alternative Reasons Set table lets you configure groups of SIP response codes for SBC call release
(termination) reasons that trigger alternative routing
• This feature works together with the Proxy Hot Swap feature, which is configured in the Proxy Sets table
• If no response, or ICMP or SIP 408 response is received, the SBC attempts to use the alternative route
even if no entries are configured in the ‘Alternative Reasons Set table‘

342
Define Alternative Reasons Rules Table

343
Assign the Alternative Reasons Set to Destination IP Group

• To apply your configured alternative routing reason rules, you need to assign the
Alternative Reasons Set for which you configured the rules, to the relevant IP Group
in the IP Groups table, using the 'SBC Alternative Routing Reasons Set' parameter

344
SBC Survivability for IP-PBX Users

Normal Mode
Survivability Mode
Fallback to PSTN
345
Define Media Realms

346
Define SIP Interfaces

347
Define Proxy Set – IP-PBX

348
Define Proxy Set – ITSP1

349
Define Proxy Set – ITSP2

350
Define IP Groups

351
IP to IP Routing Table – Options Termination

352
IP to IP Routing Table – IP-PBX to ITSP1 (Primary Route)

353
IP to IP Routing Table – IP-PBX to ITSP2 (Alternative Route)

354
IP to IP Routing Table – Calls to IP-PBX

355
Define Alternative Routing Set

• If no response, or ICMP or SIP 408 response is received, the SBC attempts to use the
alternative route even if no entries are configured in the ‘Alternative Routing Set‘

356
Assign the Alternative Reasons Set to Destination IP Group

357
Configure the TDM Bus for the Gateway

358
Configure the Digital Trunk

359
Configure the Trunk Group – E1/T1

• Used to assign Trunk Groups, Profiles and logical telephone numbers to the
gateway's channels

360
Configure the Trunk Group Settings
• Determines the method by which new calls are assigned to channels within each Trunk Group

361
IP to Trunk Group Routing (IP2Tel)

• Used to route incoming IP calls to trunk groups

• Route the call to Trunk Group ID

362
Tel to IP Routing (Tel2IP)

• Used to route outgoing IP calls

• Route the calls to the IP-PBX IP Group

363
Define IP to IP Routing Table
• Add the Gateway entry to SBC IP-to-IP Routing Table:

364
SBC Survivability for LAN Users

Server IP-Group
Hosted IP-PBX
Server 1: 201.10.1.1
Server 2: 201.10.1.2
User IP-Group

Normal Mode
Survivability Mode

365
Define IP Group – LAN Users

366
User IP Group Classification

367
Define IP to IP Routing Table

• Terminate Options

368
Define IP to IP Routing Table

• Add the Registration support

369
Define IP to IP Routing Table

• Route coming from Hosted IP-PBX to the LAN Users

370
Define IP to IP Routing Table

• Route between LAN Users and the Hosted IP-PBX

371
Define IP to IP Routing Table

• If connection to the Hosted

IP-PBX fails, LAN Users calls
will be alternative routed to
the LAN Users

372
Define IP to IP Routing Table

• All the other alternative calls

will be routed to the PSTN
over the E1/T1 connection

373
Lesson 15

SBC High Availability

Lesson Objectives

• After completing this lesson you’ll be able to:

• Understand the High Availability (HA) concept
• Understand the HA architecture
• Understand how to configure HA

375
High Availability Overview

• The device's High Availability (HA) feature provides 1+1 system redundancy using
two Mediant devices
• If failure occurs in the active device, a switchover occurs to the redundant device
which takes over the call handling process ensuring the continuity of call services
• All active calls (signaling and media) are maintained upon switchover
• Only IP calls are maintained during a switchover
• For those devices supporting the Gateway function, PSTN calls are dropped by sending
a SIP BYE message to the IP side. This is because only the active device is physically
connected to the PSTN interfaces

376
High Availability Architecture

• Provides full redundancy between the two Mediant devices

• One of the devices is in Active state while the second is in Redundant state
• In the Redundant device, only the Maintenance interface is active
• Management of the HA pair is done only through the Active device
• Upon a major functional failure in the Active device, the Redundant device
becomes active
• Supported in:
• Mediant 500
• Mediant 800
• Mediant 2600
• Mediant 4000
• Mediant 9000
• Software SBC

377
Two Box Redundancy flow

ITSP

Active Mediant

SYNC
IP-PBX

New Active
Standby Mediant
Mediant

Enterprise
LAN

378
Two Box Redundancy flow

ITSP

Active
New Mediant
Standby Mediant

IP-PBX

SYNC
New Active Mediant

Enterprise
LAN

379
HA License Key

380
High Availability Configuration

• Since both devices have the same IP address, in the initial configuration stage,
they cannot both be connected to the network
• To initially configure HA:
1. Configure HA on the first device
2. Burn the configuration to flash and power down
3. Configure HA on the second device
4. Burn the configuration to flash and reset
5. Power up the first device

381
IP Interfaces

Maintenance
Interface

382
Physical Network Connections

• A dedicated physical group for the Maintenance Interface

• Shared physical group – the physical port group used for the Maintenance Interface
is also used for other interfaces (i.e., OAMP, Media, and/or Control) in addition to
the Maintenance Interface

Maintenance

Network Port 2 Network Port 2

Network Port 1 Network Port 1 Network Port 1 Network Port 1

Network Network and

Maintenance

383
HA Setting
• The remote maintenance IP Interface
• Devices Names
• Network Monitor:
• The SBC can monitor a specified network entity, using pings
• If the device does not receive a ping response from the entity, a switchover to the redundant device occurs

• Defines the minimum number of monitored rows (configured

in the HA Network Monitor table) whose destinations are
unreachable that are required to trigger an HA switchover
• The valid value is 1 to 10. The default is 1
384
HA Network Monitor
• Network Monitor:
• The SBC can monitor a specified network entity, using pings
• If the device does not receive a ping response from the entity, a switchover to the redundant device
occurs

Read-only field displaying the connectivity

(reachable) status with the monitored
row, which is based on ping results

385
Preempt Mode

• On default configuration the system is HA symmetric – each unit that become

Active will stay Active
• The system can be configured in Preempt mode which allows specifying one of the
units as the favorite/prioritized unit between the two units
• When working in Preempt mode, each unit should be configured with priority and
whenever a unit with higher priority is recovering from a failure, it will become
active again (performs an Auto-Switchover after HA sync. has ended)

386
Preempt Mode

• Enable the HA Preempt feature

• Set the priority level of the device in the 'Preempt Priority' field
• Typically, you would configure the active device with a higher priority level (number) than the
redundant device (range 1-10)

387
HA Status in the Monitor Page

• Synchronizing - Redundant device is synchronizing

with Active device
• Operational - The device is in HA mode
• Stand Alone - HA is configured, but the Redundant
device is missing, and HA is currently unavailable

388
Initialization Process

• When only one device is running, it is in stand-alone state

• When the second device is loaded, it recognizes the Active device (through the
Maintenance network) and acquires the HA Redundant state
• Synchronization between the Active and Redundant devices may take several
minutes in which the Active device provides the Redundant device with all its
current configuration settings (including loaded files and *.cmp)
• Once loaded to the Redundant device, the Redundant device reboots to apply the
new configuration

389
HA Software Upgrade

• Two types of software upgrade are available on HA system:

• Hitless – first the Redundant unit burn and reboot with new software version and a switch over
is done, then the other unit is doing the same and a switch back is issued to return to original
system setup, this method preserve service, but it is more complex and take more time
• System Reset – both Active and Redundant units burn and reboot with new software version,
this method is quick and simple, but it does not preserve service

390
High Availability Maintenance

• Manual Switch Over

• The redundant SBC take over and the active device will reset
• Reset The Redundant Board
• The redundant SBC resets

391
Hands-on Lab 5

SBC Survivability
 Thank You

Stay in the loop