Acano solution 1.
Contents Contents 1 Introduction ....................................................................................................................... 5 1.1 How to Use this Guide.............................................................................................. 5 1.1.1 Commands .................................................................................................... 6 1.1.2 Management and network interfaces ............................................................. 6 1.
Contents 5.3 5.4 5.5 5.2.3 Creating a coSpace on the Acano solution................................................... 30 5.2.4 Adding a dial plan rule on the Acano solution ............................................... 31 Media Encryption for SIP Calls ............................................................................... 31 Enabling TIP Support ............................................................................................. 31 IVR Configuration ...................................
Contents Appendix A DNS Records Needed for the Acano Solution .................................................... 54 Appendix B Ports Required ................................................................................................... 55 Appendix C Example of Configuring a Static Route from a Lync Front End Server ............... 58 Lync Configuration Changes ........................................................................................... 58 Acano Solution Configuration ............
Introduction 1 Introduction Note: This version of the Deployment guide has a number of sections related to certificates removed and therefore has been slightly reorganized. The information is now in a new Certificates Guidelines document for the single combined solution. See section 1.1. This guide covers the Acano solution deployed as a single combined server deployment (see the figure below). This deployment has no scalability or resilience.
Introduction Figure 2: Installation and deployment documentation 1.1.1 Commands In this document, commands are shown in black and must be entered as given—replacing any parameters in <> brackets with your appropriate values. Examples are shown in blue and must be adapted to your deployment. 1.1.2 Management and network interfaces There are two layers to the Acano solution: a Platform and an Application. The Platform is configured through the Mainboard Management Processor (MMP).
Introduction Note: There is no physical separation between the media interfaces A-D on an X series server but the Admin interface is physically separate. Each interface is configured independently of the others at the IP level. IP forwarding is not enabled in either the Admin or host IP stack. See the appropriate (Acano X series or virtualized deployment) Installation Guide for details. 1.2 Application Programming Interface The Acano solution supports an Application Programming Interface (API).
Prerequisites and Deployment Overview 2 Prerequisites and Deployment Overview 2.1 Prerequisites The list of items you need prior to installing and configuring the Acano solution in a typical customer environment is given below; some of these items can be configured beforehand: 2.1.1 DNS configuration The Acano solution needs a number of DNS SRV and A records. See this Appendix for a full list but specific records are also mentioned elsewhere. 2.1.
Prerequisites and Deployment Overview syslog server add syslog01.example.com 514 syslog server add 192.168.3.4 514 3. Enable the Syslog server by entering: syslog enable 4. Optionally, if you want to send the audit log to a Syslog server follow these steps. (The audit log facility records configuration changes and significant low-level events.
Prerequisites and Deployment Overview 2.1.7 Host name The hostname must be set for the Acano server: 1. If necessary, SSH into the MMP and log in. 2. Type: hostname hostname london1 hostname mybox.example.com 3. Type: reboot Note: A reboot is required after issuing this command. 2.1.8 Other requirements Read-only access to the LDAP server in order to import users and calling data automatically. Refer to the section on LDAP configuration for more details.
Prerequisites and Deployment Overview cables to a power supply socket to implement power supply redundancy (or even to separate power supplies), but the server will work with just a single power unit connected 2U of rack space if using the rack mounting kit provided; 3U of rack space if installing on a shelf A minimum of two Ethernet links: One for the MMP (labeled Admin on the back of Acano X series servers).
Prerequisites and Deployment Overview 2.2 Deployment Overview This section outlines the steps required to deploy the Acano server (in addition to the prerequisites from the previous section). See the diagram below. Figure 3: Example Acano solution using an Acano X series server 2.2.1 SIP trunks and routing SIP trunks need to be set up to the Acano solution from one or more of the following: SIP Call Control, Voice Call Control and Lync Front End (FE) server.
Prerequisites and Deployment Overview Lync 2010 and 2013 clients can share content. The Acano solution transcodes the content from native Lync RDP into the video format used by the other participants in the meeting and sends the content in a separate stream. Lync clients receive content from the meeting in the main video. The Lync FE Server needs a Trusted SIP Trunk configured to route calls originating from Lync endpoints through to the SIP video endpoints i.e.
Prerequisites and Deployment Overview Figure 4: Example call flow diagram Notes on the figure: Internal clients connect directly to the XMPP server on port 5222 and media connects directly between the Acano client and the Call Bridge. External Acano clients establish a control connection to the XMPP sever (black line). Media can go directly from the Acano client to the Call Bridge (dashed blue line) or be relayed via the TURN server if required (blue line).
Prerequisites and Deployment Overview Both internal and external Acano clients use ICE/TURN to find suitable candidates for connectivity and choose the best: in the case of internal clients this will always be the local host candidates on the internal network. 2.2.4 Acano Web Bridge If you are using the Acano WebRTC Client you will need to enable and configure the Acano Web Bridge, refer to the sections on configuring the Web Bridge and Web Admin Interface settings for Web Bridge.
Configuring the MMP 3 Configuring the MMP The Acano solution components are configured using the MMP. 3.1 Creating and managing MMP and Web Admin Interface User Accounts You should have created a MMP administrator user account by following one of the Installation Guides; if so, go on to the next section. The same account is used to access the Web Admin Interface.
Configuring the MMP 3.3 Configuring the Web Admin Interface for HTTPS Access The Web Admin Interface is the Call Bridge’s user interface. You should have set up the certificate for the Web Admin Interface (by following one of the Installation Guides). If you have not, do so now. 1. The port for the Web Admin Interface is 443 UNLESS you configured the Web Admin Interface access on the same interface as the Web Bridge.
Configuring the MMP Note: Call Bridge must be listening on a network interface that is not NAT’d to another IP address, because Call Bridge is required to convey the same IP that is configured on the interface in SIP messages when talking to a remote site. 3. Configure the Call Bridge to use the certificates by using the following command so that a TLS connection can be established between the Lync FE server and the Call Bridge, for example: callbridge certs callbridge.key callbridge.
Configuring the MMP On a virtualized deployment, you must upload license.dat yourself (using SFTP). If you have not done so already, contact support@acano.com with one of the MAC addresses assigned to the VM to obtain this file. See the Virtualized deployment specific pre-requisites. The XMPP server can be configured to listen on any subset of the four media interfaces and ignore connections from any interface in the complement. 4. Establish a SSH connection to the MMP and log in. 5.
Configuring the MMP 3.6 Configuring the Web Bridge The Web Bridge is used by the Acano WebRTC client. If you are testing the WebRTC Client you need to set the network interface for the Web Bridge and then enable it. Otherwise, skip this section. 1. SSH into the MMP. 2. Configure the Web Bridge to listen on the interface(s) of your choice with the following command: webbridge listen The Web Bridge can listen on multiple interfaces, e.g.
Configuring the MMP 2. Configure the TURN server with the following command: turn credentials The following is an example where username is myusername, the password is mypassword and it uses the realm example.com. turn credentials myusername mypassword example.com 3.
Configuring the MMP turn enable Acano solution: Single combined Acano server Deployment Guide R1.
LDAP Configuration 4 LDAP Configuration You must have an LDAP server (currently Active Directory or OpenLDAP) to use the Acano solution. User accounts are imported from the LDAP server. You can create user names by importing fields from LDAP. The passwords are not cached on the Acano solution, a call is made to the LDAP server when an Acano client authenticates, and therefore passwords are managed centrally and securely on the LDAP server. 4.
LDAP Configuration Address = this is the IP address of your LDAP server Port = usually 636 Username = the Distinguished Name (DN) of a registered user. You may want to create a user for this purpose Password = the password for the user name you are connecting as Secure Connection = select this setting for a secure connection For Example: Address: 100.133.2.
LDAP Configuration Using an extensible matching rule (LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941), it is possible to filter on membership of any group in a membership hierarchy (below the specified group); for example: (&(memberOf:1.2.840.113556.1.4.
LDAP Configuration For more information see the appendix on LDAP field mappings. Note: Each imported user must have a unique XMPP user ID (JID), constructed using the JID field in the Field Mapping Expressions section of the Configuration > Active Directory. In order to construct a valid JID, any attribute used in the JID field mapping expression must be present in each LDAP record that is to be imported.
LDAP Configuration 3. Then synchronizing a particular user in the directory called: cn = Fred Blogs TelePhoneNumber = 7655 sAMAccountName = fred.blogs creates the following coSpace which can be viewed on the Status > Users page. Name XMPP id Fred Blogs fred.blogs@xmpp.example.com And the following coSpace that can be viewed on the Configuration > coSpace page. Name URI user part fred.blogs fred.blogs.cospace Acano solution: Single combined Acano server Deployment Guide R1.
Dial Plan Configuration – SIP Endpoints 5 Dial Plan Configuration – SIP Endpoints 5.1 Introduction In order for the Acano solution to be integrated in a SIP, Lync and voice environment, connections need to be set up from the SIP Call Control, Voice Call Control and Lync FE server to the Acano solution as shown in Figure 1 above. Changes to the call routing configuration on these devices are required in order to route the calls that require the Acano solution for interoperability correctly to it.
Dial Plan Configuration – SIP Endpoints As shown in the figure above, the Lync FE server needs a Trusted SIP Trunk to the Acano solution, configured to route calls originating from Lync clients through to Acano coSpaces, Acano client users (native and WebRTC) and also SIP video endpoints. The subdomains vc.example.com and acano.example.com should be routed through this trunk from the Lync FE server to the Acano solution. The SIP Call Control platform needs a SIP trunk set up to route calls to the example.
Dial Plan Configuration – SIP Endpoints 5.2.1 SIP call control configuration This example assumes the SIP Call Control is a Cisco VCS but similar steps are required on other Call Control devices. See the Third Party Deployment Guide for other examples such as CUCM and Polycom DMA. Set up a zone to route calls to the Acano solution by logging into the VCS as an administrator and following the steps below. 1. Go to VCS Configuration > Zones > New. 2. Create the zone with the following: H.323 Mode = Off.
Dial Plan Configuration – SIP Endpoints Name e.g. Call 001 URI e.g. 88001 Note: coSpaces can also be created from the API. See the API Reference guide. 5.2.4 Adding a dial plan rule on the Acano solution 1. Still in the Web Admin Interface, go to Configuration > Outbound Calls and add a dial plan rule with the following details: Domain = vc.mycompany.
Dial Plan Configuration – SIP Endpoints 2. Set both SIP Bandwidth Settings to at least 4000000. 3. Click Submit. 5.5 IVR Configuration You can configure an Interactive Voice Response (IVR) to use to manually route to preconfigured calls. Incoming calls can be routed to the IVR where callers are greeted by a prerecorded voice message inviting them to enter the ID number of the call or coSpace that they want to join. Video participants will see a welcome splash screen with the Acano logo.
Dial Plan Configuration – Integrating Lync 6 Dial Plan Configuration – Integrating Lync 6.1 Lync Clients Dialing into a Call on the Acano solution This section provides the equivalent of the previous section but for Lync endpoints joining a meeting hosted on the Acano solution. It uses the same call number/URI: adapt the example as appropriate. Figure 8: Example Lync clients calling into Acano server hosted meetings 6.1.
Dial Plan Configuration – Integrating Lync Note: The local contact domain field should contain the Fully Qualified Domain Name (FQDN) for the Acano server. It should only be set if setting up a trunk to Lync. Trunk Type = Lync Local From Domain = acano.mycompany.com Leave SIP Proxy to Use blank Lync clients can now dial into a call 88001 hosted on the Acano solution by dialing 88001@mycompany.com. 6.
Dial Plan Configuration – Integrating Lync matching/rejection and the other to configure the forwarding behavior. This section provides an overview of these two pages which are then used in the next section to configure the Acano server to act as a gateway between SIP and Lync calls. 6.3.1 Outbound Calls page The Outbound Calls page allows you to configure an appropriate dial plan comprising a number of dial plan rules. The dial plan controls the routing of outbound calls.
Dial Plan Configuration – Integrating Lync CAUTION: The default Encryption behavior mode is Auto. This does not match pre-R1.2 behavior. Previously, all "Lync" outbound dialing rules would automatically use Encrypted mode; therefore you need to ensure that these rules are explicitly set to Encrypted mode to prevent the Call Bridge attempting to use unencrypted TCP for these connections in the event of the TLS connection attempt failing. 6.3.
Dial Plan Configuration – Integrating Lync For calls that will be forwarded, you can rewrite the Lync destination domain using the Forwarding Domain. A new call is created to the specified domain. The example Call forwarding rule below forwards calls for the domain lync.example.com and the routing is determined by the call routing rules. If none of the Domain Matching Patterns matches the domain of an incoming call that was not matched in the Call Matching section, the call is terminated. 6.
Dial Plan Configuration – Integrating Lync In this example: A Lync user can dial @vc.example.com to set up a call with a SIP video endpoint who is @vc.example.com. A SIP video endpoint can dial @example.com to set up a call with a Lync endpoint who is @example.com. Adapt the example as appropriate. 6.4.1 Lync Front End Server configuration To allow Lync clients to dial SIP video endpoints: 1. Add a Lync static route pointing to the Acano solution for vc.example.com. 6.4.
Dial Plan Configuration – Integrating Lync 6.5 Integrating Acano Clients with SIP and Lync Clients Refer to the LDAP Configuration and Web Admin Interface Settings for XMPP sections for instructions about configuring your Acano solution to use the Acano clients.
Dial Plan Configuration – Integrating Lync Figure 11: Call Bridge to Lync Edge Server Call Flow 4. The Front End server returns the URI of the media relay authentication server (MRAS). (The Lync Edge Server acts as a MRAS.) 5. (and 6) Call Bridge contacts the MRAS over SIP to get the Lync Edge information for the call. The call media then flows directly between the Call Bridge and TURN server on UDP port 3478 and returns to the Call Bridge on a port in the ephemeral range above.
Dial Plan Configuration – Integrating Lync You also need to create a Lync user client account to set up the Acano Lync Server Edge configuration. Follow these steps to set up the Acano solution to use the Lync Edge server: 1. Ensure that you have the appropriate DNS records in place; see the appendix on DNS records for the full requirements. 2. Create a new user in your LDAP directory, just as you would any other user in your directory, i.e. firstname=”acano”, second name = “edge”. 3.
Dial Plan Configuration – Integrating Lync 6.7 Lync Federation Acano solution R1.6 adds support for federation with Microsoft Lync. This allows calls to be made from the Acano server to any Lync domain and vice versa. To allow inbound calls you must: 1. create the DNS SRV record _sipfederationtls._tcp.domain.com that points to the FQDN of the Acano server. This step is required as Call Bridge will need to have a public IP, and NAT is not supported in this scenario. 2.
Web Admin Interface Settings for XMPP 7 Web Admin Interface Settings for XMPP This section explains how to configure the settings through which the Call Bridge communicates with XMPP server. Note: If you are not using the Acano clients including the WebRTC Client, skip this section. 7.1 Network Topology The following diagram shows a possible network topology and is used for the examples in this section. Figure 12: Example network topology showing XMPP server 7.2 XMPP Settings 1.
Web Admin Interface Settings for XMPP 4. Log in to the Web Admin Interface and configure the XMPP server settings as follows: a. Go to Configuration > General b. Configure the XMPP Server Settings section using the domain, component and secret set up earlier. The Unique Call Bridge name is the component name set up previously (without a domain suffix). The Server Address is the IP address or hostname of the XMPP server, with an optional : (default is 5223).
Web Admin Interface Settings for XMPP 7.3 Client-based coSpace Creation and Editing PC Client users can create coSpaces. These coSpaces have URIs and IDs by default, allowing them to be easily dialed by SIP endpoints. The SIP dial-in URI is automatically created; however, you can enter a preferred SIP URI and the Acano solution will automatically ensure that it is a unique URI for the domain assuming this is a single server deployment.
Web Admin Interface Settings for the Web Bridge 8 Web Admin Interface Settings for the Web Bridge This section explains how to configure the settings through which the Call Bridge communicates with the Web Bridge server. This allows you to use WebRTC video calls and meetings. If you are testing the WebRTC client, follow the instructions below in the order provided at any time after the initial Acano solution configuration has been completed. If you are not using this Acano client, skip this section. 8.
Web Admin Interface Settings for the Web Bridge Figure 14: WebRTC Client port usage Note: * Although the port range between the TURN server and the External clients is shown as 32768-65535, currently only 50000-51000 is used. The required range is likely to be larger in future releases. 8.2 Web Bridge Settings Follow the steps in order. 1. Ensure that you have installed the Web Bridge certificate and license. 2. Ensure that you have configured the Web Bridge. 3.
Web Admin Interface Settings for the Web Bridge Guest users selecting the general configured web link will see a landing page in which they can enter the Call ID to join a call. In addition, Acano users who do not have access to a native Acano client but have an account can select the login link in the top right hand corner of the screen to sign in as they would on a native client.
Web Admin Interface Settings for the TURN Server 9 Web Admin Interface Settings for the TURN Server This section explains how to configure the settings through which the Call Bridge communicates with the TURN server. The TURN server allows you to use the built-in firewall traversal technology when traversing a firewall or NAT. Follow the instructions below in the order provided at any time after the initial Acano solution configuration has been completed. 9.
Web Admin Interface Settings for the TURN Server Go to Configuration > General. Set the following: TURN Server Address (Server) = internal server IP address that the Call Bridge will use to access the TURN server to avoid firewall traversal for internal call control TURN Server Address (Clients) = public IP address assigned to the TURN server that external clients will use to access the TURN server. This will be the IP address entered in earlier when you configured the TURN server.
Additional Security Considerations & QoS 10 Additional Security Considerations & QoS A number of security issues have already been discussed (e.g. certificates) but the Acano solution 1.6 offers a number of additional functions for securing your deployment, as described in this section. 10.1 Common Access Card (CAC) integration The Common Access Card (CAC) is used as an authentication token to access computer facilities.
Additional Security Considerations & QoS 10.4 TLS Certificate Verification You can enable Mutual Authentication for SIP and LDAP in order to validate that the remote certificate is trusted. When enabled, the Call Bridge always asks for the remote certificate (irrespective of which side initiated the connection) and compares the presented certificate to a trust store that has been uploaded and defined on the Acano server.
Additional Security Considerations & QoS Note: DSCP tagging is for all packets being sent from the Acano solution only. For PC Client DSCP tagging, Group Policy must be used to define desired DSCP values because Windows controls this, and normal user accounts have no permissions to set DSCP. Acano solution: Single combined Acano server Deployment Guide R1.
DNS Records Needed for the Acano Solution Appendix A DNS Records Needed for the Acano Solution Note: You can configure the DNS resolver(s) to return values which are not configured in external DNS servers or which need to be overridden; custom Resource Records (RRs) can be configured which will be returned instead of querying external DNS servers. (The RR is not available to clients.) See the MMP Command Reference for details.
Ports Required Appendix B Ports Required The following diagram labels the links on which ports need to be open and shows which firewall is concerned in a single combined server deployment. Figure 16: Ports that must be open in an Acano solution deployment The following ports are required by the Call Bridge.
Ports Required SIP TLS 5061 TCP Both I, JJ, K, O SIP BFCP 32768-65535 UDP Incoming I, JJ SIP BFCP 1024-65535# UDP Outgoing I, JJ API HTTPS 443 TCP Incoming M TURN 3478 UDP Outgoing P TURN 443 TCP Outgoing P STUN/RTP 32768-65535 UDP Incoming I, JJ, K STUN/RTP 32768-65535 UDP Incoming P STUN/RTP 1024-65535 # UDP Outgoing I, JJ, K RDP 32768-65535 TCP Incoming K RDP 1024-65535 ++ TCP Outgoing K LDAP/LDAPS + 636/389 TCP Outgoing H DNS 53 UDP Outgoin
Ports Required The following ports are used by the XMPP Server Function Destination Port Type Direction Used in Link(s) XMPP Client 5222 TCP Incoming A, J Configurable ? The following ports are used by the TURN Server Function Destination Port Type Direction Used in Link(s) STUN 3478 UDP Incoming A, B STUN RTP 32768-65535* UDP Incoming A, B Configurable ? Note: * Although the range between the TURN server and the external Acano clients is shown as 32768-65535, currently only 5000
Example of Configuring a Static Route from a Lync Front End Server Appendix C Example of Configuring a Static Route from a Lync Front End Server Important Note: This appendix provides an example to be used as a guideline and is not meant to be an explicit set of instructions for you to follow. Acano strongly advises you to seek the advice of your local Lync server administrator on the best way to implement the equivalent on your server’s configuration. 1.
Example of Configuring a Static Route from a Lync Front End Server something.com with the URI match of your choosing, possibly acano.yourcomany.com if that is the domain used for all Acano calls Set-CsStaticRoutingConfiguration -Identity global -Route @{Add=$x} Enable-CsTopology This command enables the new topology. Users may have to logout and login again to update to the new HD720p setting, all other settings are automatic and should work within a few minutes. Acano Solution Configuration 1.
More information on LDAP field mappings Appendix D More information on LDAP field mappings This section provides additional information for LDAP field mappings that you set up for the Acano solution.
Using a Standby Acano Server Appendix E Using a Standby Acano Server The instructions in this appendix apply to both Acano X series and virtualized deployments. Backing Up the Currently Used Configuration 1. Establish an SSH connection to the currently used Acano server using an SSH utility such as OpenSSH or PuTTY. 2. Issue the command backup snapshot This backup includes IP addresses, passwords and certificates into a file called name.bak.
Using a Standby Acano Server When you restore from the backup, everything is overwritten including the IP address, certificates and the license.dat file. Therefore if you are restoring onto a different server from the one that the backup was made on, you must manually copy the original license.dat file and any certificates that are not valid on the new server. Note that the license.
Using a Standby Acano Server restart the XMPP server. If certificate files also need to be restored, additional time may be required. Acano solution: Single combined Acano server Deployment Guide R1.
© 2015 Acano (UK) Ltd. All rights reserved. This document is provided for information purposes only and its contents are subject to change without notice. This document may not be reproduced or transmitted in any form or by any means, for any purpose other than the recipient’s personal use, without our prior written permission. Acano and coSpace are trademarks of Acano. Other names may be trademarks of their respective owners. Acano solution: Single combined Acano server Deployment Guide R1.
