MITEL BORDER GATEWAY Release 8.
NOTICE The information contained in this document is believed to be accurate in all respects but is not warranted by Mitel Networks™ Corporation (MITEL®). The information is subject to change without notice and should not be construed in any way as a commitment by Mitel or any of its affiliates or subsidiaries. Mitel and its affiliates and subsidiaries assume no responsibility for any errors or omissions in this document.
CONTENTS About this Document.............................................................................................................................................. 1 Overview ........................................................................................................................................................... 1 Prerequisites .....................................................................................................................................................
DNS Support.................................................................................................................................................... 26 Firewall Configuration for SIP Trunking............................................................................................................ 26 Call Recording...................................................................................................................................................... 27 Call recording vs.
Licensing......................................................................................................................................................... 49 Upgrades......................................................................................................................................................... 49 Host Server Requirements............................................................................................................................. 49 Hardware...................
MBG Engineering Guidelines, Release 8.0 1 About this Document 1.1 Overview The purpose of this document is to describe configuration rules, provisioning, and performance information for the Mitel Border Gateway, and associated products in order to assist in sales and support of this product. This information is intended for Training, Sales and Product support staff and complements other sales material and product documentation. Note: The Secure Recording Connector (SRC) has been consolidated into MBG.
MBG Engineering Guidelines, Release 8.0 2 Supported Configurations 2.1 Services MBG provides the following services: • Remote MiNet IP Phones The classic use of MBG, formerly known as the Teleworker Solution, permits remote MiNet phones to securely access the corporate phone network over the Internet. • Remote SIP IP Phones Permits Teleworker functionality for SIP hard or soft phones over the Internet.
MBG Engineering Guidelines, Release 8.0 Figure 1: MBG in traditional Teleworker configuration Mitel Border Gateway as Internet Gateway Mitel recommends deploying the Mitel Standard Linux server with Mitel Border Gateway as the Internet gateway and firewall for any enterprise without an existing firewall. Figure 2 shows a example of this configuration using the Mitel Border Gateway and a Mitel Communications Director (3300 ICP). MBG requires two network interfaces and two addresses for this configuration.
MBG Engineering Guidelines, Release 8.0 Figure 2: MBG as Internet Gateway (no enterprise firewall) An enterprise can take advantage of the DSL, authenticated DHCP and PPPoE/PPPoA1 capabilities of the MSL server. MSL additionally provides NAT for all devices at the enterprise, a stateful packet filter firewall, and optional port-forwarding. Note: If desired and if hardware is available, a third interface may be configured in MSL.
MBG Engineering Guidelines, Release 8.0 Warning: The local networks configuration serves as both application access control and as static routing configuration. Note: Local Networks is a feature of MSL. Refer to the MSL documentation for a full description of its capabilities. Mitel Border Gateway in a DMZ The Mitel Border Gateway can also be deployed behind a customer-provided or customer-managed firewall as shown in Figure 3. This firewall must have 3 network interfaces (ports): WAN, LAN, and DMZ.
MBG Engineering Guidelines, Release 8.0 3. able to reach the internal network/LAN 4. preferably dedicated solely to MBG, but also see Port-forwarding firewalls 2.3 NAT Traversal for MICD In a multi-tenant MICD install, it is possible to find tenant sites with overlapped network ranges, and without NAT at the customer edge network. In this case, MBG can be used to perform NAT traversal between the tenant sets and the MICD solution. Figure 4: MBG providing NAT traversal for MICD 2.
MBG Engineering Guidelines, Release 8.0 Figure 5: MBG as a Gateway for Broadview Networks silhouette 2.5 Secure Recording Environment When MBG is provisioned with call recording licenses, it can provide a secure man-in-the-middle for call recording. This mode is supported only in a LAN environment. It is advisable to disable MiNet restrictions on the MBG server providing call recording service, as having all LAN sets authenticate through MBG is likely not required.
MBG Engineering Guidelines, Release 8.0 Figure 6: Sample call recording deployment Figure 6 shows one sample configuration that could be used. IP phones that are to be recorded are on the same LAN segment as the MBG server. DHCP is enabled in MSL, and MBG provides DHCP configuration such that the sets use the MBG server as their TFTP server and as their ICP. MBG then proxies the set registrations to the real ICP on the other segment.
MBG Engineering Guidelines, Release 8.0 Figure 7: Recording teleworker sets Note: CIS softphone (Contact Center) can function properly in this configuration. However, only the signaling and voice should be proxied through the call recording MBG. Additional applications protocols should be proxied directly from the edge MBG to the CIS server. Warning: This is the only supported way to have both teleworker sets and call recording of LAN sets.
MBG Engineering Guidelines, Release 8.0 2.6 SIP Trunking MBG introduced support for SIP trunks in release 5.1. The SIP trunk is established from the MCD to the SIP trunk provider, using MBG as a SIP-aware firewall and proxy, as shown in Figure 8 below.
MBG Engineering Guidelines, Release 8.0 • increased resiliency with the potential for disaster recovery configuration 2.7 Daisy-Chain Deployments “Daisy-chaining” is a technique of pointing one MBG at another that can work around certain bandwidth and routing restrictions. The servers are configured such that all traffic between the sets and ICPs traverses all MBG servers in series, like following links in a chain.
MBG Engineering Guidelines, Release 8.0 Reduced Bandwidth for Remote Sites If MBG is providing access for a remote office environment where the users often call one another, an MBG server can be provided on site and daisy-chained to the MBG server at the main office. This is not needed for MiNet to MiNet calls behind the same remote NAT because the MBG local streaming feature will handle that case. However, this deployment can be used to keep MiNet to SIP calls in the remote office.
MBG Engineering Guidelines, Release 8.0 still flows back to the main office, but voice streams for calls between offices will only traverse the path between the two MBGs. This minimizes bandwidth use on the main office's connection. Figure 11: Multiple downstream MBGs Caveat: All MBG servers in the daisy chain must be at the same release. Refer to the MBG Installation and Maintenance Guide for a full description of setting up daisy-chaining. 2.
MBG Engineering Guidelines, Release 8.0 Although Mitel recommends the dual server approach for maximum security, a single MAS server with all applications can be deployed in Gateway mode at the network edge. In this configuration, all administrative and end-user web interfaces and all services are directly reachable from the public network; Web Proxy is not required to reach them. 2.9 MBG in vUCC The vUCC product combines MAS and MCD on one virtual machine.
MBG Engineering Guidelines, Release 8.0 3 Common Requirements This section provides general guidance common to all types of deployments and all services. Please read it carefully. 3.1 Supported ICP Versions At least one of the following compatible ICP products is required to use Mitel Border Gateway: • • • Mitel Communications Director (MCD) release 4.0 or later. (Includes vMCD, MICD, 3300 platforms.) Broadview Networks silhouette release 4.0.0.3 or later. (Contact Broadview for the required MBG version.
MBG Engineering Guidelines, Release 8.0 NIC should be given an address on the DMZ network. The firewall will map between this address and the external address used for MBG. Details of the protocols that must be configured in the firewall are provided in Firewall Configuration. Particular attention should be paid to the requirement that all UDP ports >= 1024 on the LAN be permitted to reach the public IP of the MBG server.
MBG Engineering Guidelines, Release 8.
MBG Engineering Guidelines, Release 8.0 4 Remote Phone Access A major purpose of the MBG is to allow remote MiNet IP and/or SIP phones to connect to the office PBX over an insecure wide-area network such as the Internet, as if they were physically in the office. Most current (and many older) models of IP sets are supported by MBG. However, please refer to the Remote IP Phones Configuration Guide for guidance on specific models.
MBG Engineering Guidelines, Release 8.0 If WiFi sets are to be used, the router or a separate WiFi access point must also provide 802.11 b/g/n. The router must control the Internet connection in order for multiple devices to share the connection. When using desktop phones, the use of USB PPPoE/PPPoA modems, USB 3G/4G modems, etc are not supported as they do not provide a port to plug in the phone.
MBG Engineering Guidelines, Release 8.0 commerce) must be provisioned as well. Failure to provide sufficient bandwidth for all Internet activities may compromise the quality of service provided by the Mitel Border Gateway. The table below shows examples of bandwidth required for various types of remote media streams. Voice MCA Collaboration If compression (G.729a) enabled: 24 Kbps (bi-directional) If compression not enabled (G.
MBG Engineering Guidelines, Release 8.0 Bandwidth Required Hourly Usage (100%) Monthly Usage (100%) Signaling (MiNet) 1 KB/minute 60 KB 43.2 MB Signaling (SIP) 1.75 KB/minute 105 KB 75.6 MB G.711 voice stream (IP), 20ms 80 kbps 36 MB 25.92 GB G.729a voice stream (IP), 20ms 24 kbps 10.8 MB 7.78 GB Table 2: Bandwidth usage vs time for an IP or SIP phone Note: 20ms is the default RTP frame size, but the value is configurable in the Mitel Border Gateway administration panel.
MBG Engineering Guidelines, Release 8.0 small office and home NAT routers allow outgoing connections and responses to those outgoing connections.
MBG Engineering Guidelines, Release 8.0 4.4 Configuring MBG for Remote SIP Devices Remote SIP Device Limitations MBG cannot yet load-balance SIP devices. In general, resiliency for a SIP device can be achieved through external DNS by configuring multiple “A” records for the FQDN of the MBG, or by configuring SRV records. Refer to the documentation of the remote SIP devices for guidance on configuring resiliency.
MBG Engineering Guidelines, Release 8.0 From the MBG server to the LAN (or just ICPs): • allow protocol UDP, destination port 5060 (and return traffic) Note: This is a minimal configuration. Refer to Appendix A: Firewall Configuration Reference for the full set of rules and optional settings.
MBG Engineering Guidelines, Release 8.0 5 SIP Trunking 5.1 Overview A “SIP trunk” in the context of MBG is simply a pair of endpoints, defined by their IP addresses and signaling ports. One of the endpoints is usually your ICP (MCD (3300 ICP) or 5000 CP), and the other is your SIP provider’s firewall or SBC. A trunk can have any number of “channels,” each of which corresponds to an active media stream.
MBG Engineering Guidelines, Release 8.0 Configure MBG clustering. On the master MBG, go to the “ICPs” tab and add both ICP “A” and ICP “B”. On the “SIP Trunking” tab, configure a trunk profile for the remote SBC. Add a single routing rule of “*” with ICP “A” and ICP “B” as the targets of the rule. This configuration will propagate to the secondary MBG. Incoming calls from the SBC will arrive at either MBG A or MBG B. From there, the MBG will route them to ICP A if it is up, or to ICP B if ICP A is down.
MBG Engineering Guidelines, Release 8.0 6 Call Recording MBG includes the ability to act as a secure man-in-the-middle for SRTP voice streams, enabling a third-party call recording solution to tap calls by using MBG’s SRC interface. Please see the section on Sizing Your Installation to determine performance limits and resource requirements. 6.1 Call recording vs.
MBG Engineering Guidelines, Release 8.0 7 Additional Application Requirements MBG allows the use of several supported applications from remote sites, just as it allows use of IP phones. When MBG is deployed in the DMZ of a third-party firewall, that firewall must be configured to allow connections from these applications. This section, plus the common rules in Firewalls (DMZ deployment) on page 15, gives a minimum configuration for each supported application.
MBG Engineering Guidelines, Release 8.0 7.3 Web Proxy The following additional rules are required, at minimum: From the Internet to the MBG server: • allow protocol TCP, destination port 443 From the MBG server to the LAN: • allow protocol TCP, destination port 443 Special consideration for MCA through Web Proxy In addition to https traffic, MCA requires passthrough of its ConnectionPoint connection.
MBG Engineering Guidelines, Release 8.0 8 Additional Security Considerations Due to the broad range of application types that can be deployed on the Mitel Standard Linux operating system (formerly Managed Application Server), Mitel suggests that you read the Security section of the Mitel Standard Linux Installation and Administration Guide before installing this application on the same server with other applications, 8.
MBG Engineering Guidelines, Release 8.0 9 Traffic Shaping 9.1 Overview For small businesses with a simple setup to the Internet, sharing that upstream link between voice and data can be problematic. Users in the middle of calls to the PSTN via SIP trunks, for example, will find the voice quality of their calls greatly reduced if a member of the office were to suddenly start a large download from the Internet. To mitigate these issues, MBG has the capability to prioritize the IP traffic that it is handling.
MBG Engineering Guidelines, Release 8.0 (Image credit: http://www.mikrotik.com/testdocs/ros/2.9/root/queue.
MBG Engineering Guidelines, Release 8.0 10 Clustering 10.1 Overview Clustering in this context refers to the ability of multiple MBG servers to communicate with one another via TCP, sharing data and providing the capability to manage multiple nodes thus joined as if they were a single unit. Clustering also provides load balancing for supported MiNet devices, making the job of distributing devices across servers to share workload simple and effective.
MBG Engineering Guidelines, Release 8.0 By default all MiNet sets will be associated with the default zone. By editing the set, the set may have its affinity changed to a different zone. The implications of this are as follows: • • A set’s load-balancing list of nodes will always favor nodes in its zone The last entry in the load-balancing list will be a node from the default zone This feature was introduced to support geographically dispersed clusters.
MBG Engineering Guidelines, Release 8.0 10.4 Additional Considerations While heterogeneous server capabilities are supported in a cluster thanks to the weighting mechanism, this weighting only affects the number of connected devices on each server. The cluster communications adds additional load on each server, so adding a node to the cluster does not, necessarily, linearly increase the capabilities of the cluster.
MBG Engineering Guidelines, Release 8.0 11 Advanced Options 11.1 Resiliency Supported MiNet sets have a resiliency list of up to four IP addresses. If a set loses its connection and cannot reestablish, it will try the next IP address on its list until it has exhausted all IP addresses on its resiliency list. For MiNet sets supporting persistent resiliency lists, this resiliency list is “remembered” through a power cycle. The resiliency list can be manually configured with arbitrary IP addresses.
MBG Engineering Guidelines, Release 8.0 Now a two-way call is properly routable between the two servers. Note: This feature is suitable only for small numbers of servers. For N servers, each server requires a list of N-1 translation rules. This becomes difficult to manage for larger values of N. An auto-population feature, leveraging the clustering support, is being investigated for a future release. 11.
MBG Engineering Guidelines, Release 8.0 Note: The frame size override only affects the streams to and from devices. The ICP-side streaming is always auto-negotiated. On SIP trunks, both WAN and ICP sides can be specified separately. 11.5 TFTP Block Size MiNet devices use the TFTP protocol to fetch their firmware from the MBG server. The Mitel TFTP server is slightly non-standard – it uses symmetric UDP to traverse NAT devices, and a “sliding window” to improve performance – but is otherwise RFC-compliant.
MBG Engineering Guidelines, Release 8.0 congestion. If the remote VoIP devices are only using voice then the bandwidth purchased for the EF queue must be large enough to accommodate the total number of concurrent voice streams passing through the MBG from Internet to managed WAN.
MBG Engineering Guidelines, Release 8.0 12 Sizing Your Installation MBG installations come in many sizes, from a handful of remote workers, to large call centers with recording requirements, to service providers with hundreds of SIP trunks routed to customer vMCDs. This section provides guidelines for selecting appropriate hardware and network capacity for any size of installation. For site with fewer than 500 users and 100 simultaneous streams, skip to section 12.2 Determine Call Equivalents.
MBG Engineering Guidelines, Release 8.0 Step Four: Erlang-B Calculator An Erlang-B calculator can now be used with the values above to find the number of lines required to handle the load. (Free Erlang-B calculators are widely available online.) Following the teleworker example above, the Erlang-B calculation is: λ = 40, μ = 12, P(b) = 0.01 c=9 The site will need 9 lines to handle the load. In MBG terms, this is 9 simultaneous calls.
MBG Engineering Guidelines, Release 8.0 The bandwidth figures for a single device are provided in Bandwidth Requirements for the Remote Site on page 19. For multiple devices, follow the procedure below. Assumptions: • • • • • Internet Service Providers specify bandwidth available to the user. i.e. PPPoE overhead does not need to be included in the provisioning of DSL bandwidth, but IP overhead does need to be included. RTP Bandwidth Requirements are as follows: ◦ G.711 = 80 Kbps ◦ G.729 = 24 Kbps ◦ G.
MBG Engineering Guidelines, Release 8.0 For the teleworker example: 20 * 1 Kbps + 9 * 24 Kbps + 20/12 * 20 Kbps = 270 Kbps For the call center example: 1000 * 1 Kbps + 583 * 24 Kbps + 1000/12 * 20 Kbps = 16659 Kbps or 16.27 Mbps Video Calculation Some VoIP devices support video as well as voice, and extra bandwidth must be provisioned if video calls will be made.
MBG Engineering Guidelines, Release 8.0 MCA voice and video conferencing between MCA clients via the MCA server is also supported through MBG. The bandwidth usage per video stream is configurable on the MCA client. An additional consideration is that an MCA client can receive multiple video streams, one for each video participant in the conference. That number can be reduced at the MCA client by minimizing or closing video windows.
MBG Engineering Guidelines, Release 8.0 Step one: G.711 trunk calls WAN BW = 40 channels * 80 kbps = 3200 kbps LAN BW = 40 channels * 80 kbps = 3200 kbps Step two: Remote office calls; voice WAN BW = 75 * 24 kbps = 1800 kbps LAN BW = 75 * 24 kbps = 1800 kbps Step three: Remote office calls; video 10% of 75 users = 7.5 WAN BW = 7.5 * 512 kbps = 3840 kbps LAN BW = 7.
MBG Engineering Guidelines, Release 8.0 Capacity: • 5000 registered devices • 1750 simultaneous G.711 “simple calls” 5 VMWare Virtual Hardware Host CPUs: 2 x Intel Xeon E5620 (Nehalem quad core), 2.4 GHz, with HyperThreading Host Memory: 24 GB Host Network: Gigabit Ethernet OS: VMWare vSphere 5.0 6 Two configurations were tested: vMBG “small business” and vMBG “enterprise”. Capacity - “small business” configuration: • 16 vMBGs – 1 vCPU each ◦ 150 registered devices (each vMBG) ◦ 30 simultaneous G.
MBG Engineering Guidelines, Release 8.0 The collaboration bandwidth is in addition to that required for voice communications. Refer to 7 Additional Application Requirements for the relevant firewall rules. Presenters Participants Bandwidth Required 1 1 192 Kbps 1 2 256 Kbps 1 5 448 Kbps 2 2 460 Kbps 2 5 736 Kbps 1 10 768 Kbps 2 10 1.2 Mbps 2 50 4.9 Mbps 5 100 18.7 Mbps Table 3: Bandwidth Requirements for MCA Collaboration 12.
MBG Engineering Guidelines, Release 8.0 1 Extension = 17 KB 1 Network Monitor (NM) (1 x MCD) = 56 KB Refer to the following table to determine the size and download time for the database at various line speeds. # of Devices Config Data Size 512 Kbps 1024 Kbps 1.54 Mbps 2.048 Mbps 10 Mbps 5 1Q, 1A 1Ex, 1Em, 1NM 157.6 KB 00:00:02 00:00:01 00:00:01 00:00:00 00:00:00 50 15Q, 11A, 11Ex, 12Em, 2NM 303.2 KB 00:00:04 00:00:02 00:00:01 00:00:01 00:00:00 100 25Q, 25A, 22Ex, 25Em, 3NM 348.
MBG Engineering Guidelines, Release 8.0 13 Virtual MBG Considerations Virtual Mitel Border Gateway (vMBG) is the MBG software and supported Mitel Standard Linux (MSL) operating system bundled in a VMware Virtual appliance, to run in the VMware vSphere/ESX(i) hypervisor. The software is packaged in Open Virtualization Format (OVF) for deployment into a VMware environment. Refer to the virtualization sections of the MAS engineering guidelines for details and current best practices. 13.
MBG Engineering Guidelines, Release 8.0 Software Virtual MBG is supported on the following platforms: • VMWare vSphere 4.1, 5.0, 5.1 (ESX/ESXi 4.1, 5.0, 5.1) The following standard features of vSphere are not currently supported for vMBG: • Update Manager Server & OS Patching: This feature does not support MSL and cannot be used. MSL updates should be installed via the Blades panel or an MSL CD.
MBG Engineering Guidelines, Release 8.0 14 Solutions To Common Problems 14.1 Changing a Cluster Node's IP Address MBG clustering uses IP addresses to identify each node and to initiate cluster communications connections. To change a node's IP address, Mitel recommends the following procedure: 1. Make sure that the node to be changed is not the master node. Take ownership from another node if required. 2. From the slave node to be changed, go to the clustering tab and click on the “Leave cluster” button. 3.
MBG Engineering Guidelines, Release 8.0 15 Appendix A: Firewall Configuration Reference The information in this section is provided to allow configuration of a customer's firewall for the Mitel Border Gateway in DMZ deployment. This configuration is automatic in the "MBG server as the gateway" deployment. In all cases below, "server" refers to the Mitel Border Gateway server (that is, the MSL server).
MBG Engineering Guidelines, Release 8.0 UDP 1024 - Server -> LAN 65535 (RTP) Server -> Internet Voice Communications. Allow outgoing SRTP on UDP ports greater than, or equal to 1024 from the server to all streaming devices on the LAN and the Internet. Misconfiguration here is a common cause of one-way audio problems. Note that as of release 7.0, MBG defaults to using evennumbered ports for RTP, leaving the odd-numbered ports for RTCP.
MBG Engineering Guidelines, Release 8.0 UC Advanced Support (Optional). If making use of the UC Advanced support, this port must be permitted from the Server to the LAN IP of the UCA server, and also to any NuPoint servers. TCP 80 Server -> LAN Contact Center Support (Optional). To enable use of the prairieFyre Contact Center solution, this port must be permitted from the server to the Contact Center server on the LAN. TCP 5060 Server -> LAN UC Advanced Support (Optional).
MBG Engineering Guidelines, Release 8.0 TCP 7001 Server -> LAN Contact Center Support (Optional). To enable use of the prairieFyre Contact Center solution, this port must be permitted from the server to the Contact Center server on the LAN. TCP 35003 Internet -> Server Contact Center Support (Optional). To enable use of the prairieFyre Contact Center solution, this port must be permitted from the Internet to the server. TCP 7003 Server -> LAN Contact Center Support (Optional).
MBG Engineering Guidelines, Release 8.0 TCP 6800, 6801 and 6802 Server -> LAN Server -> ICP(s) MiNet Call Control. Allow incoming and outgoing packets for TCP ports 6801 (MiNet-SSL) and 6802 (MiNet-Secure V1) between the server and the Internet. Allow incoming and outgoing packets for TCP ports 6800 (unencrypted MiNet), 6801 and 6802 between the server and the LAN and the server and the ICP(s).
MBG Engineering Guidelines, Release 8.0 TCP 35008 Internet -> Server Contact Center Support (Optional). To enable use of the prairieFyre Contact Center solution, this port must be permitted from the Internet to the server. TCP 8188 Server -> LAN Contact Center Support (Optional). To enable use of the prairieFyre Contact Center solution, this port must be permitted from the server to the Contact Center server on the LAN. TCP 21 Internet -> Server MCD Remote Upgrade (Optional).
MBG Engineering Guidelines, Release 8.0 GLOSSARY APC Application Processor Card ATM Asynchronous Transport Mode. A switching protocol that uses asynchronous time-division multiplexing (TDM) to put data into fixed-size cells. It is suitable for carrying real-time payloads such as voice and video. AWC Audio Web Conferencing (See MCA) CCS Centum Call Seconds. A unit of measurement used in traffic and queuing theory calculations that is equal to 100 seconds of conversation.
MBG Engineering Guidelines, Release 8.0 ISP Internet Service Provider MBG Mitel Border Gateway MCA Mitel Collaboration Advanced, formerly known as AWC. MCD Mitel Communications Director, formerly known as the 3300 ICP. MiNet Mitel Network Layer Protocol. A signaling protocol used to transport messages between the PBX and all Mitel IP phones. MiNet is encapsulated in TCP. MSL Mitel Standard Linux.
MBG Engineering Guidelines, Release 8.
INDEX 3300.............................................................3, 15, 25 5000 CP...........................................................15, 25 Agent......................................................................47 AMC...............................................17, 37, 49, 50, 52 AWC...........................................................53, 58, 59 bridged mode...........................................................4 Call Equivalent..................................................
zones................................................................33, 34 ..............................................................................27 trunk......................................................................