Implementing Encrypted Conversations Between Avaya Softphone Endpoints with Avaya IP Office 403 and Avaya S8300 Media Server - Issue 1.

(1)

SGS; Reviewed:

Avaya Solution & Interoperability Test Lab

Implementing Encrypted Conversations Between Avaya

Softphone Endpoints with Avaya IP Office 403 and Avaya

S8300 Media Server - Issue 1.0

Abstract

(2)

SGS; Reviewed:

1. Introduction

These Application Notes describe how to utilize various technologies to create encrypted

conversations directly between Avaya Softphone endpoints and an Avaya Security Gateway 200

(SG200). In particular, this document takes a closer look at an Avaya S8300 Media Server and

an Avaya IP Office 403 and describes how to secure conversations between PC Softphones via

IPSec encryption that is provided by a combination of an Avaya SG200 and a pair of Avaya

VPNremote clients installed in the Avaya Softphone endpoints.

Additionally, the configuration shows how to take advantage of the Direct Media capabilities

that are built-in throughout Avaya’s product line in order to keep the encrypted conversation

local to the Avaya Softphone endpoints and the Avaya SG200. This is an important point

because the core network will be relieved of voice traffic, as the Avaya SG200 will push secure,

encrypted voice traffic to the edge of the network.

In Figure 1, an Avaya IP Office 403 and an Avaya Communication Manager are connected via

an H.323 trunk. The example in these Application Notes shows this trunk is configured with

Direct Media options.

Additionally, a route pattern example shows Avaya Communications Manager Software (S8300)

Softphone extension 41100 and IP Office extension 29905 being able to reach each other.

Next, a configuration of the Avaya SG200 and the client endpoints is provided to illustrate

encryption of the Softphone endpoints between the two products.

Lastly, options are shown for configuring the Avaya Softphone and the Avaya Phone Manager

Pro (Avaya Softphone for IP Office).

Some things to note:

• The Avaya P333T Stackable Layer 2 Switch is set to factory defaults. No configuration is

necessary.

• The two Softphone endpoints will shuffle their IP address for direct media after the phone

call is answered.

• The encrypted tunnels are between the IP endpoints and the SG200. The endpoints do

not have the capability to create tunnels directly between themselves.

(3)

SGS; Reviewed:

10.1.2.1 Private Avaya SG200 Public 10.1.1.1 Management Server Avaya P333T Switch Avaya S8300/G700 10.1.2.0/24 .23 Avaya IP Office 403 .50 .150 10.1.2.0/24 PC running Avaya Phone Manager Pro and Avaya VPNremote

Public address 10.1.1.100 Private Address 140.140.140.2 Ext 29905 PC running Avaya Softphone and Avaya

VPNremote Public address 10.1.1.200 Private Address 140.140.140.1 Ext 41100 IPSec Tunnel Avaya P333T Switch

Figure 1: Sample Network used for IPSec Encryption and Direct Media

2. Equipment and Software Validated

The following equipment and software were used for the sample configuration provided:

Equipment

Software

Avaya S8300 Media Server

R011X.03.1.532.0

Avaya G700 Media Gateway

20.1.18.0(A) 16

Avaya IP Office 403

2.09 Avaya Softphone

5.0.4.4 Avaya Phone Manager Pro

2.0.7 Avaya VPNremote Client

4.1.14 Avaya SG200

4.31.26 Avaya P333T Layer 2 Stackable Switch

3.12.1 Table A: Version Table

(4)

SGS; Reviewed:

3.1. Configure Extensions

Step 1: Configure the extensions. Enter the appropriate extension information for the IP

Telephone. On page 1, verify that the IP Softphone field is on. On page 2, turn on Direct IP-IP

Audio Connections and IP Audio Hairpinning. See Figure 2.

Change Station 41102 Page 1 of 4 SPE B STATION

Extension: 41100 Lock Messages? n BCC: 0 Type: 4624 Security Code: TN: 1 Port: S00081 Coverage Path 1: COR: 1 Name: S8300 41102 Coverage Path 2: COS: 1 Hunt-to Station:

STATION OPTIONS

Loss Group: 2 Personalized Ringing Pattern: 1

Message Lamp Ext: 41100 Speakerphone: 2-way Mute Button Enabled? y

Display Language: english

Media Complex Ext: IP SoftPhone? y

change station 41102 Page 2 of 4 SPE B STATION

FEATURE OPTIONS

LWC Reception: spe Auto Select Any Idle Appearance? n LWC Activation? y Coverage Msg Retrieval? y LWC Log External Calls? n Auto Answer: none CDR Privacy? n Data Restriction? n Redirect Notification? y Idle Appearance Preference? n Per Button Ring Control? n

Bridged Call Alerting? n Restrict Last Appearance? y Active Station Ringing: single

H.320 Conversion? n Per Station CPN - Send Calling Number? Service Link Mode: as-needed

Multimedia Mode: enhanced

MWI Served User Type: Display Client Redirection? n AUDIX Name: Select Last Used Appearance? n Coverage After Forwarding? s Multimedia Early Answer? n Direct IP-IP Audio Connections? y Emergency Location Ext: 41102 IP Audio Hairpinning? y

(5)

SGS; Reviewed:

3.2. Configuring IP Trunks

Step 1: Configure IP node names. Assign names and IP addresses for the Avaya S8300 Media

Server interface. Assign a name to the far-end IP Office gatekeeper and enter its IP address. See

Figure 3.

change node-names ip Page 1 of 1 SPE B IP NODE NAMES

Name IP Address Name IP Address PROCR 10 .1 .2 .150 . . . IP-Office 10 .1 .2 .50 . . . default 0 .0 .0 .0 . . .

Figure 3: Configuring IP Node Names

Step 2: Verify the gateway and subnet mask information for the Avaya S8300 Media Server

interface. This information should have been auto-populated from the initial web server

administration. See Figure 4.

change ip-interfaces Page 1 of 19 SPE B IP INTERFACES

Enable Net Eth Pt Type Slot Code Sfx Node Name Subnet Mask Gateway Address Rgn y PROCR 10 . 1. 2.150 255.255.255.0 10 .1 .2 .1 6

(6)

SGS; Reviewed:

Step 3: Create the signal group. Figure 5 shows the configuration of the associated signaling

group parameters for Trunk Group 8. Notice that the field Trunk Group for Channel

Selection must be left blank when adding the signaling group, even though this screen shows the

value 8. This value will be added in a later step. Turn on Direct IP-IP Audio Connections and

IP Audio Hairpinning.

change signaling-group 8 Page 1 of 5 SPE B SIGNALING GROUP

Group Number: 8 Group Type: h.323

Remote Office? n Max number of NCA TSC: 0 Max number of CA TSC: 0 Trunk Group for NCA TSC: Trunk Group for Channel Selection: 8

Supplementary Service Protocol: b

Near-end Node Name: procr Far-end Node Name: IP-Office Near-end Listen Port: 1720 Far-end Listen Port: 1720 Far-end Network Region:

LRQ Required? n Calls Share IP Signaling Connection? n RRQ Required? n

Bypass If IP Threshold Exceeded? n Direct IP-IP Audio Connections? y IP Audio Hairpinning? y Interworking Message: PROGress

(7)

SGS; Reviewed:

Step 4: Create the trunk group. Figure 6 shows IP trunk group 8 configured. Pages 1 and 2

describe trunk group attributes. Page 6 assigns ports to the trunk group where the first 15 ports

were assigned for voice over this trunk. When entering the ports on page 6, simply enter “IP”

and the S8300 will automatically assign the T00XXX port ID for the IP trunk.

Now set the Trunk Group for Channel Selection field to 8 in the signaling-group. Figure 6

shows how to configure the trunk group.

change trunk-group 8 Page 1 of 22 SPE B TRUNK GROUP

Group Number: 2 Group Type: isdn CDR Reports: y Group Name: IP Office IP Trunk COR: 1 TN: 1 TAC: 108 Direction: two-way Outgoing Display? y Carrier Medium: IP Dial Access? n Busy Threshold: 255 Night Service: Queue Length: 0

Service Type: tie Auth Code? n TestCall ITC: rest Far End Test Line No:

TestCall BCC: 4 TRUNK PARAMETERS

Codeset to Send Display: 0 Codeset to Send National IEs: 6 Max Message Size to Send: 260 Charge Advice: none

Supplementary Service Protocol: b Digit Handling (in/out): enbloc/enbloc Trunk Hunt: cyclical QSIG Value-Added? y Digital Loss Group: 13 Calling Number - Delete: Insert: Numbering Format: lev0-pvt Bit Rate: 1200 Synchronization: async Duplex: full Disconnect Supervision - In? y Out? n

Answer Supervision Timeout: 0

change trunk-group 8 Page 2 of 22 SPE B TRUNK FEATURES

ACA Assignment? n Measured: none Wideband Support? n Internal Alert? n Maintenance Tests? y Data Restriction? n NCA-TSC Trunk Member: Send Name: y Send Calling Number: y Used for DCS? n

Suppress # Outpulsing? N Numbering Format: private

Outgoing Channel ID Encoding: preferred UUI IE Treatment: service-provider Replace Restricted Numbers? n Replace Unavailable Numbers? n Send Connected Number: y Send UUI IE? y

Send UCID? n Send Codeset 6/7 LAI IE? y

(8)

SGS; Reviewed:

change trunk-group 8 Page 6 of 22 SPE B TRUNK GROUP

Administered Members (min/max): 1/31 GROUP MEMBER ASSIGNMENTS Total Administered Members: 31 Port Code Sfx Name Night Sig Grp

1: T00109 8 2: T00110 8 3: T00111 8 4: T00112 8 5: T00113 8 6: T00114 8 7: T00115 8 8: T00116 8 9: T00117 8 10: T00118 8 11: T00119 8 12: T00120 8 13: T00121 8 14: T00122 8 15: T00123 8

Figure 6: Configuring IP Trunk 2 for Private Numbering

Step 5: Assign an IP network region. Figure 7 shows the network region QoS parameters for the

IP trunk. Point the network region to the appropriate IP Codec set. Turn on Direct IP-IP Audio

Connections and IP Audio Hairpinning.

change ip-network-region 6 Page 1 of 2 SPE B IP Network Region Region: 1 Name: Audio Parameters Direct IP-IP Audio Connections? y Codec Set: 1 IP Audio Hairpinning? y Location: UDP Port Range RTCP Enabled? y Min: 16384 RTCP Monitor Server Parameters Max: 32767 Use Default Server Parameters? y DiffServ/TOS Parameters Call Control PHB Value: 34 VoIP Media PHB Value: 46 BBE PHB Value: 43 802.1p/Q Enabled? n change ip-network-region 6 Page 2 of 2 SPE B Inter Network Region Connection Management Region (Group Of 32) 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 001-032 1 1 033-064 065-096 097-128

(9)

SGS; Reviewed:

Step 6: Choose a codec negotiation list. Assign preferred codecs in descending order. See

Figure 8.

change ip-codec-set 1 Page 1 of 1 SPE B IP Codec Set

Codec Set: 1

Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.729A n 2 20 2: G.729 n 2 20 3: G.711MU n 2 20 4: 5: 6: 7:

Figure 8: Configuring IP Codec Set

3.3. Configuring Dial Plans

Telephone extensions beginning with 2 are forwarded to IP Office. These extensions are not

defined in the Avaya Communication Manager system. Instead, they are compared against a

Uniform Dialplan Table. If there is a match, digits are analyzed and manipulated in the AAR

Analysis Table and are then forwarded to the corresponding trunk group to IP Office, based on

the Route Pattern Table.

Step 1: Create a Uniform Dialplan for 2. Create an entry for the first four digits of the five-digit

extension. Specify the length of 5 so that the last digit will act as a placeholder for the number.

Although the last digits are not directly referenced in the ensuing figures, they will be passed

along. The first digit is deleted and “200” is added to form the seven digit number 200XXXX.

This number is then forwarded to the AAR analysis table for further processing. See Figure 9.

change uniform-dialplan 2 Page 1 of 2 SPE B UNIFORM DIAL PLAN TABLE

Percent Full: 0 Matching Insert Node Matching Insert Node Pattern Len Del Digits Net Conv Num Pattern Len Del Digits Net Conv Num 2 5 1 200 aar n 31228 5 0 ext n

(10)

SGS; Reviewed:

Step 2: Create an AAR Analysis entry. Create the AAR analysis entry for the seven-digit

number of 200XXXX. Specify a minimum and maximum of 7 digits. Route pattern 4 is assigned

for further processing in the Route Pattern Table.

change aar analysis 200 Page 1 of 2 SPE B AAR DIGIT ANALYSIS TABLE

Percent Full: 5 Dialed Total Route Call Node ANI

String Min Max Pattern Type Num Reqd 200 7 7 4 aar n

Figure 10: AAR Analysis Form

Step 3: Create Route Pattern 4. Route Pattern 4 has one entry associated with it. The entry

corresponds to trunk group 8 that was previously created. The digits will be forwarded to the

trunk.

Before the seven digits are forwarded, the first three digits, “200”, will be stripped off and the

digit “2” will be added so that only the original five digits will be sent. See Figure 11.

change route-pattern 4 Page 1 of 3 SPE B Pattern Number: 20

Grp FRL NPA Pfx Hop Toll No. Inserted DCS/ IXC No Mrk Lmt List Del Digits QSIG Dgts Intw 1: 8 0 0 3 2 n user 2: n user 3: n user 4: n user 5: n user 6: n user BCC VALUE TSC CA-TSC ITC BCIE Service/Feature BAND No. Numbering LAR 0 1 2 3 4 W Request Dgts Format

Subaddress

1: y y y y y n y as-needed bothept lev0-pvt none 2: y y y y y n n rest none 3: y y y y y n n rest none

(11)

SGS; Reviewed:

3.4. Configuring IP Office

Step 1: Configure a user. Under the User option in Avaya IP Office Manager, enter the user

information.

(12)

SGS; Reviewed:

Step 2: Enter telephony options. The form in Figure 13 captures the most common telephony

options. Choose “VoIP” for Phone Manager Type when configuring a station for Phone

Manager Pro.

(13)

SGS; Reviewed:

Step 3: Configure Line options. Create a new line and enter information as in Figure 14.

(14)

SGS; Reviewed:

Step 4: Enter VoIP information. Enter the information as in Figure 15 for proper H.323 trunk

operation. Make sure Enable Faststart, Out of Band DTMF, and Allow Direct Media Path

are all checked.

(15)

SGS; Reviewed:

Step 5: Configure Shortcode. Configure the shortcode so that the Avaya Communication

Manager dialplan digits will be forwarded to the Avaya IP Office H.323 trunk as in Figure 16.

(16)

SGS; Reviewed:

3.5. Configuring Avaya SG200

Step 1: Configure interfaces. From a PC, launch a web browser and log into the Avaya SG200.

Select Configure and then select the Network tab. Configure the Public and Private Interfaces

with the appropriate IP addresses. Re-connect to the Avaya SG200 with the PC configured to

the new network information. See Figure 17 and Figure 18.

(17)

SGS; Reviewed:

(18)

SGS; Reviewed:

Step 2: Configure a dynamic policy. Click on the Security Tab and select Dynamic Policy.

Click on the Address Pool button and enter the IP Address pool range as in Figure 19.

(19)

SGS; Reviewed:

Step 3: Configure Remote Users. Click on the Users tab and select Remote Users. Add two

new users as in Figure 20.

(20)

SGS; Reviewed:

Step 4: Create a VPN (Screen 1). Click on the Security tab and on VPN Setup. Click on the

Add button and enter the information as in Figure 21. Click Next to continue.

(21)

SGS; Reviewed:

Step 5: Create a VPN (Screen 2). Leave this screen blank. Click on the Next button to continue.

(22)

SGS; Reviewed:

Step 6: Create a VPN (Screen 3). Move the users from Available User(s) to Member User(s).

Click on Next to continue.

(23)

SGS; Reviewed:

Step 7: Create a VPN (Screen 4). Enter the information as in Figure 24. Click on the Add

button to create the encryption and authentication parameters. Click on Finish to complete the

VPN configuration.

(24)

SGS; Reviewed:

3.6. Configuring Avaya VPNremote VPN Client Software

Step 1: Install Avaya VPNremote VPN Client Software. Supply the parameters as shown in

Figure 25.

(25)

SGS; Reviewed:

Step 2: Configure Avaya VPNremote VPN Client Software Preferences. Configure the

preferences as shown in Figure 26.

(26)

SGS; Reviewed:

3.7. Configuring Avaya IP Softphone

Step 1: Configure Avaya IP Softphone. Install the Avaya Softphone and use the configuration

parameters as shown in Figure 27.

(27)

SGS; Reviewed:

3.8. Configuring Avaya Phone Manager Pro

Step 1: Configure Avaya Phone Manager Pro. Configure the Avaya Phone Manager Pro log on

screen by pressing the Configure button and choosing PBX…. Enter the information as in the

form in Figure 28.

(28)

SGS; Reviewed:

Step 2: Configure Preferences. Click on Configure and select Preferences… Click on the

Phone Manager tab and select the preferences as in Figure 29.

(29)

SGS; Reviewed:

Step 3: Configure Audio Codec. Click on Configure and Preferences… Click on the Audio

Codec tab and enter information as in Figure 30.

(30)

SGS; Reviewed:

4. Verification Steps

Log into the Avaya S8300 Media Server and type “status trunk 8”. The trunk status should be

“in service/idle” as shown in Figure 31. If not, recheck the configuration.

status trunk 8 Page 1 SPE B TRUNK GROUP STATUS

Member Port Service State Mtce Connected Ports Busy

008/001 T00011 in-service/idle no 008/002 T00012 in-service/idle no 008/003 T00013 in-service/idle no

Figure 31: Displaying the Status of the Trunk

Verify that the PC client tunnels are up. Open the Avaya VPNremote VPN Client Software, click

on the Advanced button, click on the Secure Connection tab. Verify that the tunnels are up. If

they are, click on one of them to view details of the key exchange and encryption algorithm

information. See Figure 32.

(31)

SGS; Reviewed:

Place calls between the two softphones and verify that the calls route properly, the displays are

correct, and voice quality is acceptable. It is possible to monitor the progress of the call on the

Avaya S8300 Media Server trunk by typing “list trace tac 108”, where the TAC ID was

previously assigned in the trunk group form for trunk 8. Notice that the last two lines show that

the two PC endpoints shuffled their respective IP addresses, 140.140.140.1 and 140.140.140.2.

See Figure 33.

list trace tac 108 Page 1 SPE B LIST TRACE

time data

05:36:01 Calling party station 41100 cid 0x149 05:36:01 Calling Number & Name 41100 ACM JIM 05:36:01 dial 29905

05:36:01 term trunk-group 8 cid 0x149 05:36:01 dial 29905

05:36:01 route-pattern 4 preference 1 cid 0x149 05:36:01 seize trunk-group 8 member 2 cid 0x149 05:36:01 Setup digits 2009905

05:36:01 Calling Number & Name NO-CPNumber NO-CPName

05:36:01 G711MU ss:off ps:20 rn:6/6 140.140.140.1:16384 10.1.2.152:17386 05:36:02 Alert trunk-group 8 member 2 cid 0x149

05:36:02 G729A ss:off ps:20 rn:6/6 10.1.2.50:49242 10.1.2.152:17388 05:36:05 active trunk-group 8 member 2 cid 0x149

05:36:05 G729A ss:off ps:20 rn:6/6 140.140.140.1:16384 10.1.2.50:49242 05:36:05 G729A ss:off ps:20 rn:6/6 10.1.2.50:49242 140.140.140.1:16384 05:36:06 G729A ss:off ps:20 rn:6/6 140.140.140.2:5020 140.140.140.1:16384 05:36:06 G729A ss:off ps:20 rn:6/6 140.140.140.1:16384 140.140.140.2:5020

Figure 33: Displaying The Trace of a Call Over a Trunk

5. Conclusion

(32)

SGS; Reviewed:

©