Nortel 1000 Con?guration guide Quick setup guide
Nortel Application Gateway 1000/2000
Nortel Application Gateway Release 6.1
Network Integration Guide
Planning
Document Number: NN42360-200
Document Release: Standard 01.04
Date: January 2007
Year Publish FCC TM
Copyright © 2007 Nortel Networks. All rights reserved.
Produced in Canada
The information in this document is subject to change without notice. The statements, configurations, technical
data, and recommendations in this document are believed to be accurate and reliable, but are presented
without express or implied warranty. Users must take full responsibility for their applications of any products
specified in this document. The information in this document is proprietary to Nortel Networks.
Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.
Title page
iii
Application Gateway Network Integration Guide
Contents
Audience v
Organization v
Conventions vi
Related Documentation vi
CHAPTER
1Overview 1
Voice Office 2
Transformed Applications 3
Security 3
Deployment Planning 4
Network Impacts 5
CHAPTER
2Security Planning 7
Application Gateway Security Overview 7
General Security Issues 9
Application Gateway Security Solutions 11
Authentication 11
Secure Socket Layer 12
Cookies and Secure Cookies 13
Other Security Features 13
CHAPTER
3Deployment Planning 15
Overview 15
The Application Gateway Pre-Installation Checklist 16
Considerations for Integrating the Application Gateway into an IP Phone
Enterprise 16
Location of Call Servers, IP Phones, and LDAP Servers 17
Location of Web/Intranet Content 17
Administration and Redundancy Requirements 17
Relative Performance of Network Segments 18
Quality of Service (QoS) 18
Sample Configurations 19
Contents
Application Gateway Network Integration Guide
iv
Application Gateway Location Relative to a Firewall or
Router 19
Application Gateway Operation with a Router 20
CHAPTER
4Network Impacts 21
I
NDEX
v
Application Gateway Network Integration Guide
Preface
This preface describes who should read the Application Gateway Network
Integration Guide, how it is organized, and its document conventions.
Audience
This installation guide is intended for IT professionals and other
individuals responsible for determining how the Application Gateway is
to integrate into a network.
Organization
This guide is organized as follows:
Chapter Title Description
Chapter 1 Overview Provides an executive summary of this guide.
Chapter 2 Security Planning Provides a starting point for security
planning and contains a general discussion of
security issues.
Chapter 3 Deployment Planning Discusses issues to consider when planning
how to integrate the Application Gateway
into your network and contains sample
configurations.
Chapter 4 Network Impacts Provides a summary of how Application
Gateway operation impacts a network.
Conventions
vi Application Gateway Network Integration Guide
Conventions
This guide uses the following conventions:
Notes use the following conventions:
Note Means reader take note. Notes contain helpful suggestions or other
important information.
Tips use the following conventions:
Tip Means the following information will help you solve a problem. The tips
information might not be troubleshooting or even an action, but could be
useful information.
Cautions use the following conventions:
Caution Means reader be careful. In this situation, you might do
something that could result in equipment damage or loss of
data.
Related Documentation
For additional information about the Application Gateway, refer to these
guides:
•Application Gateway Hardware Installation Guide
•Application Gateway Administration Guide
Convention Description
boldface font Commands and HTML element names are in
boldface.
boldface screen
font
Information you must enter is in boldface screen
font.
1
Application Gateway Network Integration Guide
Chapter 1
Overview
This document discusses issues to consider when planning how the
Application Gateway will integrate into your network. Topics covered
include the basic functions and operation of the Application Gateway,
with emphasis on security and the interactions between the Application
Gateway and your network. This chapter provides an executive summary
of network integration considerations.
The Nortel Application Gateway delivers business applications to the
screens and speakers of Internet-enabled IP telephones. The applications
delivered to IP Phones include Nortel Voice Office applications and
transformed business applications.
Chapter
Chapter 1 Overview
Voice Office
2Application Gateway Network Integration Guide
Voice Office
Voice Office is a suite of packaged
telephony applications that requires no
development work. The Voice Office
Application Suite enables enterprises to
further leverage their IP telephony
investments and increase workforce
productivity by delivering converged
applications to the screens and speakers of
IP phones.
Voice Office applications include:
•Visual Voicemail enables users to see a
visual list of their voice messages with the
ability to select the most important ones to review, without having to
listen to each message in a serial fashion. During message playback,
the user can play, pause, forward, reply, and rewind using labeled soft
keys rather than using cryptic control codes.
•Express Directory provides an LDAP-based, organization-wide
directory with high-speed, real-time pruning. This new directory user
interface reduces the time to look-up and dial in by 75% compared to
current solutions.
•Zone Paging enables authorized users to page to groups of IP
telephones in specific zones without the expense of installing an
overhead paging system
•Broadcast Server delivers priority messages such as emergency, IT,
and weather alerts in the form of text, graphics and audio alerts to IP
telephones.
•Smart Agent enables a Windows PC user who is connected to an
Application Gateway to dial a number by clicking it in Internet
Explorer, Outlook, and Outlook Express.
Application Gateway Network Integration Guide
Chapter 1 Overview
Transformed Applications
3
Transformed Applications
In addition to delivering Voice Office applications to IP phones, the
Application Gateway also provides the ability to transform existing
business applications for the screens of IP phones.
Transformed applications are delivered to the screen of the device using
the Application Gateway and are customized using the visual
development toolkit, Design Studio. Transformed applications appear as
though they were custom-developed for the IP telephone, often without
change to any of the underlying applications. Transformed applications
include time clocks, email, sales force automation, school attendance,
inventory look-up, and patient records, for example.
Security
The Application Gateway is a transparent network appliance that
implements and supports industry-standard security techniques. The
Application Gateway sits behind a corporate firewall and is resistant to
invasion. It has been tested to ensure that it has no high- or medium-risk
security vulnerabilities, and no UNIX, Web server, URL, or port
vulnerabilities.
Chapter 1 Overview
Deployment Planning
4Application Gateway Network Integration Guide
The Application Gateway fully complies with the security protocols used
by other devices. For example, if your IP telephones support secure
communications, the Application Gateway connection with the
telephones will be secure. The Application Gateway uses only published
interfaces to IP telephones and systems.
For a more in-depth discussion of Application Gateway security, see
Chapter 2, “Security Planning.”
Deployment Planning
The Application Gateway installs into any network infrastructure without
requiring changes to the existing hardware or back-end software. The
Application Gateway sits in front of content servers and works with other
networking products such as cache engines, web servers, firewalls, and
routers.
The Application Gateway is designed for flexible network deployment.
The location of an Application Gateway in a network is largely based on
the configuration of the existing network.
Regardless of the network deployment chosen, the only requirements that
must be met to ensure correct operation are as follows:
•The client devices (IP telephones) must be able to contact the
Application Gateway on the network.
Application Gateway Network Integration Guide
Chapter 1 Overview
Network Impacts
5
•The Application Gateway must be able to contact the servers that have
the requested content. Content may be generated by servers on the
local network and the Web.
For a more information about Application Gateway deployment planning,
see Chapter 3, “Deployment Planning.”
Network Impacts
Sending a page or broadcasting a message through the Voice Office
applications occupies audio bandwidth at a rate of 85.6 Kilobits per
second.
For more information on Application Gateway network impacts, see
Chapter 4, “Network Impacts.”
Chapter 1 Overview
Network Impacts
6Application Gateway Network Integration Guide
7
Application Gateway Network Integration Guide
Chapter 2
Security Planning
Security is a major issue in conducting any business. This chapter provides
an overview of Application Gateway security. This chapter is not intended
to be a comprehensive guide to planning a security strategy, as these
issues will vary by organization. However, this chapter provides a starting
point for security planning and outlines how the Application Gateway is
capable of addressing a wide range of business and enterprise policy
requirements.
The following topics describe Application Gateway security:
Application Gateway Security Overview, page 7
General Security Issues, page 9
Application Gateway Security Solutions, page 11
Application Gateway Security Overview
The Application Gateway is a transparent network appliance. It leverages
existing security infrastructure to provide seamless, end-to-end, secure
communication between devices and enterprise application servers. The
Application Gateway sits behind a corporate firewall, uses standard
security mechanisms, and is resistant to invasion.
Many devices, including IP telephones, lack security and encryption
features. The Application Gateway, when used with secure web and
application servers, can reduce the potential security issues associated
with using such equipment.
Because IP phones themselves do not have security policies,
communication between the Application Gateway and IP phones is over
an insecure channel. However, the Application Gateway can be deployed
behind a firewall to provide a secure gateway to protect IP telephone
connections beyond the firewall.
Chapter
Chapter 2 Security Planning
Application Gateway Security Overview
8Application Gateway Network Integration Guide
The Application Gateway is a hardened application server and can be
installed in any network with confidence that it introduces no additional
security risks or liabilities. The Application Gateway has the following
characteristics:
•It is not possible to determine what operating system is running on the
Application Gateway.
•Is not general purpose. Only the processes that are running are
externally visible. Unnecessary services (such as login and listener
services) and unnecessary modules are removed from the Application
Gateway operating system.
•All services interfaces are closed, providing nothing that a worm or
virus could attack. As a result, the Application Gateway is not
vulnerable to worms and viruses that are compiled for traditional
operating systems and is fully protected against worms, viruses, and
other Internet attacks. In this respect, the Application Gateway
appliance is more like a closed router rather than a server.
•Cannot be logged into. You cannot log into the operating system, only
the server software, if authenticated.
•Has few open ports and those ports send packets directly to
Application Gateway processes. Uses only published interfaces to IP
telephones and systems. Port requirements are detailed in the
Pre-Installation Checklist.
•Can be fully configured only over an SSL channel that requires
authentication. Minimal configuration is available through a serial
port. Installation requires physical access to the device.
•Has cryptographically secure licensing.
•Supports 196-bit TLS SSL encryption, as well as lower and higher bit
values defined in your certificate. You might prefer to lower the
encryption if performance is more important than security.
•Provides SSL sessions, with support for HTTPS, IMAPS, POPS, and
SSMTP. SSL support enables deployment of the Application
Gatewaybehind a firewall in order to provide a secure gateway to
protect IP telephone connections beyond the firewall. The Application
Gateway relies on a customer-provided firewall for protection from
Denial of Service (DoS) attacks.
Application Gateway Network Integration Guide
Chapter 2 Security Planning
General Security Issues
9
•Supports digital certificates in Privacy Enhanced Mail (PEM) format
that include a private key. You should install on the Application
Gateway a digital X.509 certificate that belongs to your company. This
will ensure that all SSL transactions will pass with no error warnings
to device users.
•Limits user access to requests for transformed/transcoded data from
IP telephones. For IP phone applications which require user
authentication for use, the Application Gateway uses the
authentication mechanism of the phone system. The Application
Gateway passes authentication requests to the configured
authentication server and returns authentication replies to the
requesting IP phone. The Application Gateway does not manage or
retain user credentials.
•Can be configured to allow only previously identified application data
or specified URLs to pass through it, or to prevent any access to the
Internet.
•Implements a unique and superior cookie management technique that
ensures that cookies never leave the Application Gateway and are
always maintained within the enterprise firewall. The Application
Gateway provides virtual cookies for devices that do not natively
support cookies.
•Supports proxy servers—firewalls that reside on hardware other than
a router.
•Has been tested to ensure that it has no high- or medium-risk security
vulnerabilities and no UNIX, Web server, URL, or port vulnerabilities.
White box testing includes verification of memory checking, buffer
overflow, and open port utilization.
General Security Issues
Information traveling openly across a public network is exposed to
potential risks and vulnerabilities such as theft or alteration of the
transmitted data, invasion by destructive programs, and access by
unauthorized users.
Companies must identify the vulnerabilities they deem most important to
address, and then select countermeasures to protect data as it travels to
and from their site. The benefits of easy data transfer must be balanced
Chapter 2 Security Planning
General Security Issues
10 Application Gateway Network Integration Guide
against the protection of integrity and confidentiality. In addition, good
security involves more than technology. Employees and partners must be
aware of security issues, trained in best practices, and reminded often of
the importance of security to their organization.
To achieve data security, an organization must provide effective methods
to ensure the following:
•Authentication—recognizing and verifying user identity
Authentication can be accomplished through a username and
password; however, passwords can be stolen or revealed.
Organizations often require a more stringent authentication process
such as a digital certificate issued and verified by a Certificate
Authority as part of a public key infrastructure (PKI) that ensures
mutual identification.
•Confidentiality—limiting data access to authorized users only
The confidentiality of sensitive information such as credit card
numbers, telephone numbers, and addresses needs to be protected
from access by unauthorized parties.
•Access control—limiting access to data or services
After authenticating a user, the network authorizes the user to transact
his or her business. A user’s access level can be monitored based on the
user’s identification and authentication level. Different users can be
granted different levels of access as needed.
•Integrity—ensuring that data has not been altered during
transmission
•Non-repudiation—preventing disavowal of a transaction once it is
completed
The integrity and non-repudiation functions ensure that information
arrives as intended and remains intact throughout the entire process,
that certain information is available only to authorized users, and that
a transaction cannot be disavowed either by the parties or the
record-keeping mechanism.
•Encryption—protecting data using a cipher
Application Gateway Network Integration Guide
Chapter 2 Security Planning
Application Gateway Security Solutions
11
Communications security is the protection of information during
transmission from unauthorized or accidental modification,
destruction, and disclosure. Since it can be difficult to prevent
unauthorized access to signal transmissions, the best security often
involves using some form of encryption.
•Privacy—protecting user identification and location data
An important aspect of security is ensuring that sensitive user
information, such as location, is not compromised or misused. For
example, location information may not be necessary for a particular
transaction, but it could be very valuable and collecting it is subject to
misuse.
Application Gateway Security Solutions
The Application Gateway supports the standard tools used to provide
network security. The technologies discussed in the following sections
comprise an essential and trustworthy infrastructure:
Authentication, page 11
Secure Socket Layer , page 12
Cookies and Secure Cookies , page 13
Other Security Features, page 13
Authentication
The Application Gateway supports administrator and user logins. To
reach the Application Gateway administration interface, an administrator
must provide valid credentials. Administrator accounts are managed
through the administration interface and administrator credentials are
stored on the Application Gateway as an inaccessible, one-way hash.
For IP phone users, the Application Gateway uses the authentication
mechanism of the phone system for any IP phone applications which
require user authentication. The Application Gateway passes
authentication requests to the configured authentication server and
returns authentication replies to the requesting IP phone. The Application
Gateway does not manage or retain user credentials.
Chapter 2 Security Planning
Application Gateway Security Solutions
12 Application Gateway Network Integration Guide
The Application Gateway also protects the passwords that must be
entered for connections to devices needed for operations, such as LDAP
servers, SMTP servers, and so on. Any password entry required for such
servers is not echoed to the screen during entry or during subsequent
viewing of the configuration data, either on screen or in the system logs.
All passwords stored on the Application Gateway are stored as an
inaccessible, one-way hash.
Secure Socket Layer
The Secure Socket Layer (SSL) protocol ensures privacy between
communicating applications and their users on the Internet. SSL uses a
program layer located between the Hypertext Transfer Protocol (HTTP)
and Transmission Control Protocol (TCP) layers. SSL is included in most
browsers and Web server products. Developed by Netscape, SSL has also
gained the support of Microsoft and other Internet client/server
developers, becoming the standard.
The Application Gateway provides SSL sessions, with support for HTTPS,
IMAPS, POPS, and SSMTP. SSL support enables deployment of the
Application Gateway behind a firewall in order to provide a secure
gateway to protect IP telephone connections beyond the firewall.
The “socket” part of the term Secure Socket Layer refers to the socket
method of passing data back and forth between a client and a server
program in a network or between program layers in the same computer.
SSL uses the public-and-private key encryption system from RSA Security,
which also includes the use of a digital certificate.
The Application Gateway supports digital certificates in Privacy
Enhanced Mail (PEM) format that include a private key. You should install
on the Application Gateway a digital X.509 certificate that belongs to your
company. This will ensure that all SSL transactions will pass with no error
warnings to device users. Certificates from Verisign and Thawte are
supported.
While the Application Gateway supports 196-bit TLS SSL encryption, you
have the option to lower the encryption of the certificate if performance is
more important than security.
Application Gateway Network Integration Guide
Chapter 2 Security Planning
Application Gateway Security Solutions
13
Cookies and Secure Cookies
Many Internet sites do not allow entry unless cookies are enabled; many
IP phones have no ability to accept cookies. Other solutions address this
cookie management problem by caching cookies on the server and using
some unique identifier, such as the device ID, to associate cookies with a
particular user. The cookie for that particular session is included in the
URL and is valid only for that session. Once the session is terminated, the
cookie is flushed from the cache. This approach offers no security since the
packets can be intercepted by a third party and used to spoof the
content-adaptation device into sending the data to the interloper. More
importantly, this approach makes no distinction between unsecured and
secure cookies.
The Application Gateway implements a unique and superior cookie
management technique that ensures that cookies are always maintained
within the enterprise firewall, retained between the Application Gateway
and the application server. The Application Gateway provides virtual
cookies for devices that do not natively support cookies. The device user
is never aware of the cookie.
Other Security Features
Products on LANs must control access to unauthorized sites and
addresses via ftp, telnet and other services. IP phone Voice Applications
access only the sites configured for the applications.
The Application Gateway also:
•Has a configurable buffer size, to control the amount of data that can
be pulled into the Application Gateway before being sent to the client.
If an object exceeds the maximum buffer size, the Application
Gateway drops the object.
•Supports the upload of software upgrades over a secure SSL-protected
channel. All access to the Application Gateway can be secured with
SSL connections.
•Provides system logs that can be secured when used with a secure
syslog server.
Chapter 2 Security Planning
Application Gateway Security Solutions
14 Application Gateway Network Integration Guide
Other manuals for 1000 Con?guration guide
32
This manual suits for next models
1
Table of contents
Other Nortel Network Router manuals
Nortel
Nortel Secure Router 4134 User manual
Nortel
Nortel BSR222 Quick guide
Nortel
Nortel BayStack 460-24T-PWR User manual
Nortel
Nortel 252 User manual
Nortel
Nortel BayStack 460-24T-PWR Reference guide
Nortel
Nortel VPN Router v7.05 User manual
Nortel
Nortel Contivity 100 User instructions
Nortel
Nortel 222 User manual
Nortel
Nortel SR1001 User manual
Nortel
Nortel 425-24T User manual
Nortel
Nortel 4500 Series Quick guide
Nortel
Nortel Passport 8600 Series User manual
Nortel
Nortel BayStack 460-24T-PWR Reference guide
Nortel
Nortel 8300 Series Operation and maintenance manual
Nortel
Nortel 2700 User manual
Nortel
Nortel business policy switch 2000 User manual
Nortel
Nortel 8300 Series Operating instructions
Nortel
Nortel 8300 Series User manual
Nortel
Nortel Contivity 110 Supplement
Nortel
Nortel Secure Router 4134 User manual
