Skype for Business and Sonus – Part 2 – Configuring the Foundations

In Part 1 we discussed the basics of where and how to install the Sonus SBC. In this article we will be discussing how to prepare the SBC 1000 for production readiness including; licencing, updating, controlling access, networking and system settings.

It is important to set solid footings in order to ensure easier administration moving forward and for proper security.

Licencing

The first task I undertake is to licence the SBC. Out of the box, the device is pretty much an expensive book stop. With no licence applied, essentially all you can do is make one registration to the SBC but no calls can be placed through the device. Gather your device serial number you obtained from part 1. When you purchase an SBC the device should be accompanied by an email from Sonus that provides a link to their self-licencing portal and access code. If you do not have this email, please contact your supplier to obtain this. Once submitted your licence key will be provided to you via e-mail. This e-mail can take about 5 minutes to arrive, so don’t panic if it not sitting in your inbox immediately. The key is hash of your device serial number, the features purchased and the validity period of the licence. Copy the licence key to your clipboard and from your SBC, click on Settings tab > System > Licensing > Install New License

Paste your licence key in its entirety into the licence box and hit apply. Once you have applied the licence key, reboot the SBC by clicking on Tasks Tab > Reboot Sonus SBC

On reboot, if you go back to Settings tab > System > Licensing > Current Licenses you should be able to see that your SBC has been properly licenced

Be careful to make note of any expiration of the licence by scrolling down to the bottom of the window and analysing the License Expiration information

Updating

Next up after licencing the device, you will probably want to update the firmware to the latest release. At the time of writing the latest release is 5.0.2. All new Sonus SBCs should be shipped with at least version 5.0 now, but in case you have an older unit there are a few things to consider. Updates are generally not cumulative, instead mainly roll-ups. In other words, you cannot skip minor versions or jump a major version in most cases (unless the release documentation says otherwise). For instance, if your SBC is version 3.0, you must first update to 3.0.1, then 3.1 before upgrading to 4.0. This upgrade path is called stepping stone upgrades. The SBC comes with two partitions. Only one is active at a time. This provides roll back capabilities, as well as the opportunity to stage the new update to the SBC and then choose to activate that version at a chosen time. It is best practice, and recommended that you take a backup of your configuration prior to any update. In fact, since release 3.1, the firmware has made backup of the configuration a mandatory step before allowing the application of the new firmware.

As well as the application partition, there is also a boot partition. The boot partition stores the applications required to boot the device, i.e. the core Operating System, which under the bonnet is a highly customised Linux distribution. Between upgrades of firmware, the boot image may change version. The last time the boot image changed was when Sonus moved from version 2.x to 3.x. Therefore, before upgrading to any version, double check that Sonus have not released a new boot image alongside the main firmware release. If they have, then you must update the boot image prior to updating the main firmware, or the device will not boot.

To obtain the update, please visit the Sonus Customer Support Portal: https://support.sonus.net/display/PORTAL/Salesforce+Login , or contact your partner directly. Make sure you request all the updates between your version and the current release. Please note that version 5.0 of the firmware is the supported version for Skype for Business. It is also critically important to read the release notes of each version to ensure that there are no special considerations to understand.

To update the device, click on Settings tab > System Settings > Software Management
> Boot Partition

Check your boot image version to make sure it is compatible with your update. If it is, proceed to the next steps

Again in the same configuration folder select Application Partitions. You should see two available, one being active

The first step is to back-up your SBC configuration. You can do this by clicking on Backup Configuration at the top of the partition table. You must enter a password to secure the backup tar file, it does not need to meet any complexity requirements

Once you have a copy, click on Upload Firmware at the top of the partition table. This will automatically upload the firmware to the inactive partition

This process can take about 10 to 15 minutes to complete depending on the size of the firmware. Once this is successful you can click Set Active to update the SBC. This will reboot the SBC.

System Settings

Now that we have the SBC up to date, we can look at some basic settings. First off we should configure the Node Level Settings. These include items such as hostname, DNS and NTP settings. Click on Settings tab > System > Node Level Settings

Enter a host name of the SBC, and the domain name that the SBC is going to be configured in. Fill out the System Information boxes to identify the physical location of the SBC. Useful if you have multiple, in many sites.

The DNS settings can be set if you want the SBC to resolve internal SIP services such as Skype for Business or Exchange UM. In fact, you will run into problems, especially transferring between Skype for Business and Exchange UM (Auto Attendant and Voicemail) if DNS is not configured, even if you specify only IP addresses in your configuration. However, I usually do not configure DNS for internal services and use the host record table to configure my back-end services, but the choice is yours. For the purpose of this guide, DNS has been configured and will be used.

It is important to ensure you set an accurate date and time for the system. If you don’t, this will impede troubleshooting especially when analysing multiple log files across systems to identify an issue. It is recommended to use NTP servers, such as your Primary Domain Controller for instance. If not, then you can use public NTP or set the time and date manually. To set the time and date manually click on the Set Date / Time link at the top of the settings page.

Be careful if setting manual date and time, and watch for time creep between systems.

After node level settings have been completed, if you have an SBC 1000, and are in the UK, click on System Companding Law from the system navigation branch. Make sure you change the Companding Law from u-LAW to A-LAW

For SBC 2000’s, the companding law is automatically discovered. Want to know what Companding is? Read this article: https://en.wikipedia.org/wiki/Companding

Configuring Network Access

When you configured initial setup, the IP you gave the system has been applied to interface 1. Interface 2 will still be configured for default access on 192.168.129.2. As this interface will be used for external access to your service provider, and will be configured with either a public IP address or NATed private IP address. Click on Node Interfaces > Logical Interfaces > Ethernet 2 IP

Configure the interface with the desired IP address and apply the configuration.

Next we need to define a static route for the signalling and media that is not inbound to your internal network. We need to ensure that to the outside world i.e. your service provider endpoint, the IP address of the Sonus SBC is the correct external IP configured on Interface 2. This is to ensure correct establishment and authentication. Click on Settings tab > Protocols > IP > Static Routes

Press the + icon to add a route. Enter the default route for any traffic destined for IP addresses not within the internal range of the SBC. The gateway should be Interface 2, or the default gateway of the perimeter network in which interface 2 is configured, if behind a NAT firewall.

The SBC is also VLAN aware, so virtual interfaces can be configured for multiple network connections. However, this is beyond the scope of this article.

Network Security

By default, the SBC will accept any connection on any protocol from any source on any interface. When exposing your SBC directly to the outside world it is important to take the necessary steps to secure access to your system. This is provided by Access Control Lists (ACLs) that the SBC will use to allow, or deny a connection. Before we can configure the ACLs, we must obtain some important information from the service provider.

  • Public IP address of their endpoints
  • Signalling Port
  • Protocol
  • Media endpoint
  • Media Ports
  • Protocol (almost always UDP)

Once you have obtained this information you can build your external ACL. Click on Settings tab > Protocols > IP > Access Control Lists

Click the + icon to create your external ACL table (if you are behind a NAT firewall, then you should use your internal firewall IP as the external source address)

Now click on the table you created in the navigation tree, and press the + icon to add a rule to the table

For the purpose of this guide, I am going to be using the following fictional settings from the table below.

Service Provider

Tailspin Telecom

Signalling Endpoint

100.0.1.10

Port

5060

Protocol

TCP

Media Endpoint

100.0.1.11

Ports

50000-55000

Protocol

UDP
  1. Enter the description of the rule e.g. Tailspin Signalling.
  2. Select the Protocol: TCP
  3. Action: Allow
  4. Port Selection Method: Range
  5. Source IP: 100.0.1.10
  6. Minimum Port Number *
  7. Maximum Port Number *
  8. Destination IP Address: 80.129.16.121 (external IP of the Sonus box i.e. interface 2)
  9. Minimum Port Range: 5060
  10. Maximum Port Range 5060

Repeat for media

  1. Enter the description of the rule e.g. Tailspin Media (inbound).
  2. Select the Protocol: TCP
  3. Action: Allow
  4. Port Selection Method: Range
  5. Source IP: 100.0.1.10
  6. Minimum Port Number *
  7. Maximum Port Number *
  8. Destination IP Address: 80.129.16.121 (external IP of the Sonus box i.e. interface 2)
  9. Minimum Port Range: 16384
  10. Maximum Port Range: 17584

tsmedia

You may be wondering why the media port range is not 50000-55000? That is because for inbound, the media ports allowed are the Sonus media ports used. By default, the Sonus media port range starts at 16284 and contains 600 pairs of ports. This allows for a maximum of 300 calls, but as the SBC 1000 can only handle 160, this is sufficient. So 16384+1200 = 17584

mediaports

Lastly for inbound we need to block everything else. This time chose Any protocol and select the action to Deny. Enter the destination as the IP address of interface 2

Your inbound ACL should now look similar to the below. It is important to know that the rules will get processed based on the order of which they appear in the table. You can re-order the sequence using the pencil icon

Now we have created the inbound ACL, we should create an outbound ACL. This will restrict the destinations the SBC can initiate with. Using the same table as reference we can create and build our outbound ACL.

  1. Create another ACL table called External ACL (Outbound)
  2. Create the first entry to allow signalling out
  3. Create the second entry to allow media out
  4. And the final rule to block everything
  5. The outbound ACL should look something similar to this

Now we have created our external ACLs, we need to bring these into effect. In order to do this, we need to go back to Settings tab > Node Interfaces > Logical Interfaces > Ethernet 2 IP

Expand the Ethernet 2 IP settings by clicking on the arrow and change the ACL In and ACL Out settings to the appropriate ACL list we created, and press apply to commit the configuration

You may want to configure the internal interface (interface 1) with an ACL of its own. Generally speaking, I tend to create a rule to allow HTTP/S traffic from Management networks, block from all others and restrict the Signalling Port and Protocol to between the Sonus SBC and Skype for Business mediation servers only. The rest I leave open, unless there is a specific reason to.

In Part 3 we will start to look at how to prepare Skype for Business for integration with Sonus.

Part 3 >> Configuring Skype for Business

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s