Mitel MiVOICE BUSINESS User manual

MiVoice Border Gateway

Engineering Guidelines

January, 2017

Release 9.4

NOTICE

The information contained in this document is believed to be accurate in all respects but is not warranted by

Mitel Networks™ Corporation (MITEL®). The information is subject to change without notice and should not be

construed in any way as a commitment by Mitel or any of its affiliates or subsidiaries. Mitel and its affiliates and

subsidiaries assume no responsibility for any errors or omissions in this document. Revisions of this document or

new editions of it may be issued to incorporate such changes.

No part of this document can be reproduced or transmitted in any form or by any means - electronic or

mechanical - for any purpose without written permission from Mitel Networks Corporation.

Trademarks

The trademarks, service marks, logos and graphics (collectively "Trademarks") appearing on Mitel's Internet

sites or in its publications are registered and unregistered trademarks of Mitel Networks Corporation (MNC) or its

subsidiaries (collectively "Mitel") or others. Use of the Trademarks is prohibited without the express consent from

Mitel. Please contact our legal department at lega[email protected] for additional information. For a list of the

worldwide Mitel Networks Corporation registered trademarks, please refer to the website:

http://www.mitel.com/trademarks.

Product names mentioned in this document may be trademarks of their respective companies and are hereby

acknowledged.

MBG - Engineering Guidelines

Release 9.4

January, 2017

®,™Trademark of Mitel Networks Corporation

1About this Document ........................................................................................................................ 5

1.1 Overview .................................................................................................................................... 5

1.2 Prerequisites ............................................................................................................................... 5

1.3 About the MBG Documentation Set.......................................................................................... 5

2Supported Configurations................................................................................................................. 5

2.1 Services ...................................................................................................................................... 5

2.2 Teleworkers and Remote Offices ............................................................................................... 6

2.3 NAT Traversal for Multi-instance MiVoice Business ................................................................ 9

2.4 Secure Gateway for Broadview Networks Silhouette HKS..................................................... 10

2.5 Secure Recording Environment.................................................................................................11

2.6 SIP Trunking............................................................................................................................. 13

2.7 Daisy Chain Deployments........................................................................................................ 14

2.8 MBG in MiCollab .................................................................................................................... 17

2.9 MBG in MiVoice Business Express......................................................................................... 17

2.10 Partial Service Configurations.............................................................................................. 18

3Common Requirements................................................................................................................... 18

3.1 Administrative Access.............................................................................................................. 18

3.2 Firewalls (DMZ deployment)................................................................................................... 19

4Remote Phone Access..................................................................................................................... 20

4.1 Remote Site Requirements....................................................................................................... 21

4.2 Behavior ................................................................................................................................... 24

4.3 Firewall Configuration for Remote MiNet Devices................................................................. 25

4.4 Configuring MBG for Remote SIP Devices............................................................................. 25

4.5 Firewall Configuration for Remote SIP Devices...................................................................... 26

5SIP Trunking ................................................................................................................................... 26

5.1 Overview .................................................................................................................................. 26

5.2 Send Options Keepalives.......................................................................................................... 27

5.3 Bandwidth Requirements ......................................................................................................... 27

5.4 Resilient Trunk Configuration.................................................................................................. 27

5.5 DNS Support ............................................................................................................................ 29

5.6 Firewall Configuration for SIP Trunking................................................................................. 29

6Call Recording ................................................................................................................................ 29

6.1 Call recording vs. Local Streaming.......................................................................................... 29

6.2 Indirect Call Recording ............................................................................................................ 30

7Web Real-Time Communication (WebRTC).................................................................................. 30

7.1 WebRTC Gateway Supported Configurations.......................................................................... 30

7.2 WebRTC Architecture and Topology ....................................................................................... 31

7.3 Firewall Configuration for WebRTC Gateway......................................................................... 33

8Additional Application Requirements............................................................................................. 33

8.1 MiCollab Client v6.0+.............................................................................................................. 33

8.2 MiContact Center..................................................................................................................... 34

8.3 Web Proxy................................................................................................................................ 34

8.4 Remote Management Service................................................................................................... 34

9Additional Security Considerations ................................................................................................ 35

9.1 SIP Security.............................................................................................................................. 35

10 Traffic Shaping................................................................................................................................ 35

10.1 Overview............................................................................................................................... 35

10.2 Technical Details .................................................................................................................. 35

11 Clustering........................................................................................................................................ 36

11.1 Overview .................................................................................................................................. 36

11.2 Cluster Zones............................................................................................................................ 37

11.3 Node Weighting........................................................................................................................ 37

11.4 Additional Considerations........................................................................................................ 38

11.5 Firewall Configuration for Clustering...................................................................................... 38

12 Advanced Options........................................................................................................................... 39

12.1 Resiliency ............................................................................................................................. 39

12.2 IP Translations ...................................................................................................................... 40

12.3 Streaming Addresses............................................................................................................. 40

12.4 RTP Frame Size .................................................................................................................... 41

12.5 TFTP Block Size................................................................................................................... 41

12.6 Compression Codecs ............................................................................................................ 42

12.7 SRTP Port Range .................................................................................................................. 42

12.8 DSCP .................................................................................................................................... 42

13 Sizing Your Installation................................................................................................................... 43

13.1 Determining Line Size for Large Sites................................................................................. 43

13.2 Determine Call Equivalents.................................................................................................. 44

13.3 Determine Bandwidth Requirements.................................................................................... 44

13.4 Hardware Selection............................................................................................................... 48

13.5 Web Proxy and Remote Management Service Requirements .............................................. 48

13.6 MiCollab Client and MiCollab AWV Conferencing Requirements..................................... 48

13.7 MiContact Center Softphone Requirements......................................................................... 49

14 Virtual MBG Considerations .......................................................................................................... 50

14.1 Licensing............................................................................................................................... 51

14.2 Upgrades............................................................................................................................... 51

14.3 Host Server Requirements.................................................................................................... 51

14.4 High-Availability.................................................................................................................. 51

15 Solutions to Common Problems ..................................................................................................... 52

15.1 Changing a Cluster Node's IPAddress................................................................................. 52

15.2 T.38 Faxing Does Not Work With NAT................................................................................ 52

16 Performance Characteristics and Limits......................................................................................... 52

16.1 MBG Capacities – Device (MiNet & SIP) and Trunking (SIP) ........................................... 53

16.2 MBG Capacities – WebRTC................................................................................................. 54

16.3 Web Proxy Capacities........................................................................................................... 54

16.4 MBG System Capacities....................................................................................................... 55

17 AppendixA: Firewall Configuration Reference............................................................................. 55

1 About this Document

1.1 Overview

The purpose of this document is to describe configuration rules, provisioning, and performance information for

the MiVoice Border Gateway, and associated products in order to assist in sales and support of this product. This

information is intended for Training, Sales and Product support staff and complements other sales material and

product documentation.

Note: The Secure Recording Connector (SRC) has been consolidated into MBG. Accordingly, although this

document discusses the SRC control interface and its protocol, it does not treat them SRC as a separate

feature.

1.2 Prerequisites

The MiVoice Border Gateway application runs on the Mitel Standard Linux (MSL) Server. The reader should first

become familiar with the MSL Installation and Administration Guide and the Qualified Hardware List. These

documents are available from http://edocs.mitel.com.

1.3 About the MBG Documentation Set

Mitel documentation is available from http://edocs.mitel.com. (Note: a Mitel On-Line account is required to

access eDocs.) The following guides provide complete information about MBG:

•The MBG Engineering Guidelines (this document).

•The MiVoice Border Gateway Blade Installation and Maintenance Guide provides information about

system requirements, installation of MBG, and configuration of MBG options and firewalls.

•The MiVoice Border Gateway Online Help provides information about MBG configuration and

maintenance.

•The Remote IP Phones Configuration Guide provides information about configuring remote phones.

2 Supported Configurations

2.1 Services

MBG provides the following services:

•Remote MiNet IP Phones: The classic use of MBG, formerly known as the Teleworker Solution, permits

remote MiNet phones to securely access the corporate phone network over the Internet.

•Remote SIP IP Phones:Permits Teleworker functionality for SIP hard or soft phones over the Internet.

•SIP Trunking:Allows a corporate phone switch to connect to a SIP Trunk provider, protecting the

switch from malformed messages, unauthorized use, and various attacks, and providing an anchor point

for media streams.

•Call Recording:Formerly the Secure Recording Connector, this service allows secure recording of

phone calls by a third-party application.

•WebRTC: A gateway to support browser-based voice and video calling. This guide provides information

about the requirements and installation procedures of the MiVoice Border Gateway.

In addition, the MBG server can host the Remote Proxy Services blade to provide the following services:

•Web Proxy: end-user access from the WAN to applications hosted inside the firewall

•Remote Management Service: administrative access from the WAN to applications hosted inside the

firewall

Please refer to the Remote Proxy Services documentation for details.

MBG can be deployed in several ways depending on the services required.

2.2 Teleworkers and Remote Offices

Overview

The original design intent of MBG is to provide a Teleworker solution. Once an MBG server is installed,

extensions from the office PBX can be extended across the Internet to permit MiNet phones to work from homes,

remote offices, hotels, etc.

In this use-case, either the server-gateway profile or DMZ profile could be used depending where on the network

MBG is to be deployed. If deploying behind an existing firewall on a DMZ, then a single network interface and

DMZ profile is appropriate. If deploying beside an existing firewall, or if there is no existing firewall, then server-

gateway profile is appropriate.

Failure to follow these guidelines will result in one-way or no-way audio.

Warning: Some firewalls which use port-forwarding to simulate a DMZ are Port-forwarding Firewalls. See

the Common Requirements chapter for full details.

MiVoice Border Gateway as Internet Gateway

Mitel recommends deploying the Mitel Standard Linux server with MiVoice Border Gateway as the Internet

gateway and firewall for any enterprise without an existing firewall. Figure 2 shows an example of this

configuration using the MiVoice Border Gateway and a MiVoice Business (3300 ICP).

MBG requires two network interfaces and two addresses for this configuration. The external address must:

1. Be a static address that does not change

2. Be directly attached to a NIC on the MSL server

3. Be reachable from the public network/Internet

4. Be reachable from the internal network/LAN

5. Not be subject to NAT or behind another firewall

The interface may be configured via DHCP, PPPoA, PPPoE or similar technology, but the address it receives

must always be the same.

Warning: If the external address changes, all teleworker phones must be reprogrammed with the new

address.

Figure 1: MBG in traditional Teleworker configuration

An enterprise can take advantage of the DSL, authenticated DHCP and PPPoE/PPPoA1capabilities of the MSL

server. Additionally provides NAT for all devices at the enterprise, a stateful packet filter firewall, and optional

port-forwarding.

Note: If desired and if hardware is available, a third interface may be configured in MSL. This interface might be

useful as a dedicated interface for if a network between the MBG servers can be set aside for this purpose.

Alternatively, the third interface could be put into bridged mode on MSL 9.2+ to permit an MBG server in parallel

with an existing firewall to transparently handle all traffic from that firewall and accomplish traffic shaping. See

Traffic Shaping for full details.

Additional Trusted Local Networks

Additional trusted internal networks or subnets that require access to the MiVoice Border Gateway can be added

via the Networks panel of the server manager. This access can be limited to individual hosts, or large network

blocks can be used. In all cases, the Router property should be set to the address of the router on the subnet

attached to the MSL server's internal interface.

For example, to allow access from the single subnet 192.168.12.0/24, you would enter a network of

192.168.12.0 and a mask of 255.255.255.0 in the Local Networks panel, plus the address of the router on the

local subnet through which this network can be reached.

If the customer’s network has multiple subnets with a common prefix, access can be allowed from the prefix. For

example, if the customer uses various subnets within the 192.168.0.0/16 network, enter a network of

192.168.0.0 and mask of 255.255.0.0 in the Networks panel, and allow the local router to determine the routing

to the individual subnets.

In addition to providing application access control, the Networks panel can also be used to add static routes.

Note: The Networks panel is a feature of MSL. Refer to the MSL documentation for a full description of its

capabilities.

MiVoice Border Gateway in a DMZ

1Limited support is provided for PPPoA. Mitel recommends the use of a D-Link DSL 300T modem at the enterprise site if PPPoA

connectivity is required in gateway mode. Configure the modem to provide DHCP on the internal interface, and use DHCP on the MSL server

to configure the public interface. The modem acts as a bridge. Note that PPPoA routers that provide NAT will not work here.

Figure 2: MBG as Internet Gateway (no enterprise firewall)

The MiVoice Border Gateway can also be deployed behind a customer-provided or customer-managed firewall

as shown in Figure 3. This firewall must have 3 network interfaces (ports): WAN, LAN, and DMZ. Two-port

firewalls are not supported. It should also be noted that some “DSL routers” with “DMZ” port forwarding are

simply two-port NAT devices and should be treated as any other two-port firewall. Deployment of the MiVoice

Border Gateway behind such devices is not supported.

MBG requires one network interface and two addresses for this configuration. The interface must be configured

with a static address allocated from the DMZ network range. This is typically an RFC 1918 “private” address. The

enterprise firewall must be configured with an address allocated from the public/Internet range. This address

must be:

1. reachable from the public network/Internet

2. reachable from the internal network/LAN

3. able to reach the internal network/LAN

4. preferably dedicated solely to MBG, but also see Port-forwarding firewalls

2.3 NAT Traversal for Multi-instance MiVoice Business

In a multi-tenant Multi-instance MiVoice Business install, it is possible to find tenant sites with overlapped

network ranges, and without NAT at the customer edge network. In this case, MBG can be used to perform

between the tenant sets and the Multi-instance MiVoice Business solution.

Fig

ure 3: MBG deployed in a DMZ

Other manuals for MiVOICE BUSINESS

Table of contents

Other Mitel Gateway manuals

Mitel

Mitel Mediatrix Model M Manual

Mitel

Mitel 3300 Operator's manual

Popular Gateway manuals by other brands

LST

LST M500RFE-AS Specification sheet

Kinnex

Kinnex Media Gateway quick start guide

2N Telekomunikace

2N Telekomunikace 2N StarGate user manual

Mitsubishi Heavy Industries

Mitsubishi Heavy Industries Superlink SC-WBGW256 Original instructions

ZyXEL Communications

ZyXEL Communications ZYWALL2 ET 2WE user guide

Telsey

Telsey CPVA 500 - SIP Technical manual

RTA

RTA 460A-NNA4 Product user guide

Shaw

Shaw Gateway HDPVR user manual

ABB

ABB VSN900 Commissioning manual

Commander

Commander Pulse owner's manual

2N Telekomunikace

2N Telekomunikace ATEUS EasyGate 501309E manual

NETGEAR

NETGEAR C6300BD installation guide

Amit

Amit CDW531AM user guide

HMS

HMS Netbiter EasyConnect EC150 user manual

Huawei

Huawei EchoLife HG620 user guide

AT&T

AT&T U-verse 3801 Replacement self-installation guide

Logic IO

Logic IO RTCU MX2 turbo Technical manual

Suttle

Suttle MediaMAX MXM-521 installation instructions