HP Survivable Branch Communication zl Module powered by Microsoft Lync™ Planning and Design Guide
HP Survivable Branch Communication zl Module powered by Microsoft Lync™ February 2011 Planning and Design Guide
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard.
Contents 1 SBM Overview Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 SBM Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 PCIe Slots . . .
2 Design Considerations Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Planning Call Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Considerations for Local Peer-to-Peer Calls . . . . . . . . . . . . . . . . . . . . . . . .
Planning Ease of Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49 Initial Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49 Ongoing Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50 Local Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50 Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Example Solutions Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Purchase Telephony Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 Branch and HQ Site Interoperability (1) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 Test Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-97 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
1 SBM Overview Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 SBM Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 PCIe Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Ports . . . . . . . . . . . . . .
SBM Overview Overview Overview The HP Survivable Branch Communication zl Module (SBM) powered by Microsoft LyncTM works within a Microsoft® Unified Communications and Collaboration (UC&C) solution to provide resilient voice services at a branch office. This chapter introduces you to the components and features of the SBM and explains how it fits within the Microsoft Lync-based UC&C solution.
SBM Overview SBM Components PCIe Slots The module includes two PCIe slots, in which you install telephony cards. These cards provide the interfaces for public switch telephone network (PSTN) connections. Ports The 1 Gbps management port, which you see on the SBM’s front panel, provides direct management access to the SBM, allowing a network administrator or support person to reach the SBM even if its network connectivity has failed.
SBM Overview SBM Components USB Slot You can insert most standard USB devices in the module’s USB slot. (Devices that require power must use an external power supply.) When you access the SBM’s Remote Desktop (see “Planning Ease of Management” on page 2-49 of Chapter 2: “Design Considerations”), you can navigate the USB’s file directory and transfer files.
SBM Overview SBM Components Note When you replace a module component, the module sometimes boots the HP Service OS instead. Your instructions will indicate how to boot to the ONEapp OS. ■ The HP Service OS—The primary and backup Service OS reside on the Compact Flash (CF). The SBM is not typically booted to this OS, but it is available for performing diagnostics in case troubleshooting is required. This guide will use “SBM” to refer both to the physical module and to the ONEapp OS and its applications.
SBM Overview SBM Role in a Microsoft UC&C Solution SBM Role in a Microsoft UC&C Solution The SBM acts within a complete UC&C solution to provide resilient communication and voice services for a branch office. Microsoft Lync Architecture To better explain how the SBM fits within the Lync architecture, this guide will first provide a brief overview of this architecture, including illustrations and definitions of various terms that you will encounter in this guide.
SBM Overview SBM Role in a Microsoft UC&C Solution Components This section focuses on the components that provide these services. Figure 1-2 displays the basic architecture. Figure 1-2. Lync Server Architecture The solution’s components are defined in a Lync Server topology, which is divided into sites that consist of LANs (areas connected by high-speed Ethernet or fiber-optic connections). Within the topology, a site defines the resources that help to deliver UC&C services to users at those sites.
SBM Overview SBM Role in a Microsoft UC&C Solution ■ Lync Server Front-End Server or pool of Front-End Servers—The Front-End Server (or pool of Enterprise Front-End Servers) is responsible for helping Lync users to reach each other and establish communications. All Lync users, who are imported from the domain, are assigned to at least one Front-End server (or pool).
SBM Overview SBM Role in a Microsoft UC&C Solution The site can optionally include these components: ■ Note Mediation Server—A Mediation Server (or pool of servers) receives SIP calls that are destined to the PSTN. It translates the Microsoft proprietary SIP traffic to standard SIP and decrypts TLS traffic. It also translates the codec, which is the protocol used to encode sound into a digital format.
SBM Overview SBM Role in a Microsoft UC&C Solution The SBM addresses this issue, providing all the services necessary for Enterprise Voice locally at the branch office. Branch users are assigned to the SBM as their Lync Server Front-End Server (registrar), and the SBM also provides the Mediation Server and PSTN gateway. Figure 1-3. Lync Survivable Branch Architecture Within the Lync topology the SBM occupies a different position from a traditional Lync Server.
SBM Overview SBM Role in a Microsoft UC&C Solution Third-party SIP phones require their own managers. In order for these thirdparty phones and your Lync clients to communicate, the call must pass through a Microsoft-certified PBX. Communications You will now examine in more detail how the SBM handles communications, and in particular audio calls.
SBM Overview SBM Role in a Microsoft UC&C Solution Figure 1-5. Remote Peer-to-Peer Call These basic steps occur when the branch user is the calling party: 1. Note • TCP 5061 when TLS, which provides encryption, is used • TCP 5060 when TLS is not used If you have an existing Lync solution, you know that clients typically find the Lync services using a DNS service record.
SBM Overview SBM Role in a Microsoft UC&C Solution 3. The calling party and the called party use SIP to establish the call. The SBM can be the proxy for the branch user during the call establishment, and communications pass through the LAN (for local calls) or through the LAN and WAN (for calls to other sites). If the called party is a remote user (accesses the company network through the Internet), the central office Access Edge Server is its SIP proxy, so SIP traffic would pass over the WAN.
SBM Overview SBM Role in a Microsoft UC&C Solution Figure 1-6. Establishing the SIP Call 4. The RTP traffic flows for the duration of the call. Calls between branch users remain within the LAN while calls between a branch user and a user at a different site pass over the WAN connection. In either case, for simple two-way calls the RTP traffic passes directly between the clients, making the Lync solution quite scalable. See Figure 1-4 on page 1-11 and Figure 1-5 on page 1-12. 5.
SBM Overview SBM Role in a Microsoft UC&C Solution Figure 1-7. Conference Call Branch Lync users can also call outside numbers that are reached through the PSTN. This guide will refer to these calls as PSTN calls. First, examine a local PSTN call, which is routed through the SBM itself.
SBM Overview SBM Role in a Microsoft UC&C Solution Figure 1-8. Local PSTN Call These basic steps occur: 1. 1-16 The branch user’s Lync client contacts the SBM as its Front-End Server (registrar). It uses the same SIP port as for other calls: • TCP 5061 with TLS • TCP 5060 without TLS 2. The SBM routes and normalizes the call using rules and policies defined centrally for the branch site, which it retrieves from the CMS. It forwards the call to the correct Mediation Server. 3.
SBM Overview SBM Role in a Microsoft UC&C Solution Figure 1-9. Establishing the Call 4. RTP communications continue to pass through the SBM’s PSTN gateway and over the PSTN line. (Unless you are using Media Bypass, the RTP traffic passes through the Mediation Server before the PSTN gateway.) Often, you route local branch users’ PSTN calls out the SBM’s PSTN connection as described in the steps above.
SBM Overview SBM Role in a Microsoft UC&C Solution Figure 1-10. Remote PSTN Call The process for establishing such a call is similar to that for establishing a local call. However, the remote PSTN gateway takes the place of the SBM’s gateway. Survivability You now have a basic idea of how the SBM handles calls in normal operations. During a WAN failure, the SBM automatically forwards all calls over its PSTN connections as shown in Figure 1-11.
SBM Overview SBM Role in a Microsoft UC&C Solution Figure 1-11. Call Flow During WAN Failure “Behavior During a WAN Outage” on page 2-30 of Chapter 2: “Design Considerations” provides more information about which services are available in this situation. The SBM and data center Lync Servers can also provide redundancy for each other for different types of failover. For example, the parent central site FrontEnd pool is automatically configured as a backup registrar pool for the SBM.
SBM Overview SBM PSTN Capabilities SBM PSTN Capabilities The HP Media Gateway is the PSTN gateway installed on the SBM. The Media Gateway acts as the branch site’s interface between the Microsoft UC&C solution and the PSTN.
SBM Overview SBM PSTN Capabilities Table 1-1 shows the supported settings on the HP Media Gateway and T1/E1 Telephony Cards. If you need more information about line coding, frame format, and ISDN switch types, you can read the sections below. However, typically you do not choose these settings yourself. You simply match the settings that your carrier tells you to use. Table 1-1.
SBM Overview SBM PSTN Capabilities Like HDB3, B8ZS was designed to overcome the deficiencies of AMI. To prevent synchronization loss, B8ZS replaces a string of eight zeros with a string that includes two logical ones of the same polarity as a timing mark. Frame Format. You must configure the E1 or T1 interface to use the same frame format as that used by the public carrier. E1-carrier lines and T1-carrier lines use different frame formats.
SBM Overview SBM PSTN Capabilities In regions that use T1, you might encounter several different ISDN standards. The SBM T1 interfaces support these types: ■ National ISDN-2 (NI2)—Based on National ISDN-1, this standard was intended to outline a common set of options that ISDN manufacturers and public carriers must provide. ■ Class 5 Electric Switching System (5ESS)—Alcatel-Lucent sells switches that use this standard. Many telcos have such switches, including AT&T.
SBM Overview SBM PSTN Capabilities 1-24
2 Design Considerations Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Planning Call Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Considerations for Local Peer-to-Peer Calls . . . . . . . . . . . . . . . . . . . . . 2-5 Considerations for Local PSTN Calls and Planning Your Telephony Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Design Considerations Contents Planning Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33 Adjusting Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33 Planning Computer Policies for the SBM . . . . . . . . . . . . . . . . . . . . . . . 2-34 Security Hardening at the SBM Factory Default Settings . . . . . . 2-35 USGCB Recommendations That Must Not Be Implemented . . . 2-45 Considering Call Logging . . . . . . . .
Design Considerations Overview Overview As described in the previous chapter, an HP Survivable Branch Communication zl Module (SBM) powered by Microsoft LyncTM fits within your current Lync solution to provide resilient Lync services for a branch office. This chapter gives you guidelines for planning your solution to meet your business requirements in several areas: ■ Call capacity ■ Audio quality ■ High availability ■ Ease of management ■ Security policies Table 2-1.
Design Considerations Planning Call Capacity Important Task Design Considerations Reference Consider management options for the SBM and communicate them to the appropriate administrator. “Ongoing Management” on page 2-50 If you have a Simple Network Management Protocol (SNMP) solution, install the SBM’s management information bases (MIBs) on it. “SNMP MIBs” on page 2-52 Open necessary ports on firewalls between the branch and the data center.
Design Considerations Planning Call Capacity Considerations for Local Peer-to-Peer Calls The SBM imposes no special limit on local peer-to-peer calls (calls between Lync users at the same branch). Each of the 1000 users can make such a call simultaneously. Providing the 25 to 90 Kbps required for a typical call should not cause a problem for the LAN. However, other features such as video conferencing and file sharing add to the bandwidth requirements.
Design Considerations Planning Call Capacity T1 lines provide 24 voice channels while E1 lines provide 30. Analog Foreign Exchange Office (FXO) lines support only one call each. Foreign Exchange Subscriber (FXS) lines connect to analog devices such as fax machines; they are used to receive calls on behalf of those devices. Table 2-3 displays the telephony cards supported by the SBM and the number of PSTN calls supported by each.
Design Considerations Planning Call Capacity Your records might already report peak usage times and maximum number of concurrent calls. If you are planning to route some PSTN calls through the main office or another site rather than through the SBM, subtract those types of calls from the maximum. Also consider whether some calls that currently pass through the PSTN might now become peer-to-peer calls to other users within the WAN, and subtract those calls.
Design Considerations Planning Call Capacity Figure 2-1. Example Spreadsheet for Estimating Concurrent Calls In either case, remember to also consider whether you need FXS interfaces to support devices such as fax machines. Once you have an estimate of the number of channels and FXS interfaces required, you can select a card from Table 2-3 on page 2-6. Estimate Concurrent Calls from Usage If you cannot obtain accurate records for the site’s current usage, you can estimate the required number of channels.
Design Considerations Planning Call Capacity Note These guidelines are estimates only and might vary based on the average duration of calls. Your requirements might also decrease if your users begin to make more peer-to-peer Lync calls instead of PSTN calls. Table 2-4 provides at-a-glance guidelines. Use Table 2-5 to arrive at a closer estimate for your environment. Table 2-4.
Design Considerations Planning Call Capacity Table 2-6.
Design Considerations Planning Call Capacity If using E1 lines, you could purchase one Two-Port T1/E1 Telephony Card and one One-Port T1/E1 Telephony card. Alternatively, you could purchase one Four-Port T1/E1 Telephony card and reserve the other slot for future needs.
Design Considerations Planning Call Capacity Table 2-8. Estimate Concurrent Remote Peer-to-Peer Calls Usage Level Number of Users at That Level Estimated Concurrent Calls Total Estimated Concurrent Calls Light One remote peer-topeer call per user per hour X = ____ X/15 = A = ______ A+B+C=D=E= ________ Medium Two remote peer-topeer calls per user per hour Y = ____ Y/10 = B = ______ Heavy Three remote peerto-peer calls per user per hour Z = ____ Z/5 = C = _______ Table 2-9.
Design Considerations Planning Call Capacity ■ The overhead added by headers—The larger the headers, the greater the bandwidth requirements. The maximum requirements are calculated for Ethernet headers, which are larger than, for example, PPP headers. ■ The sample size (in milliseconds) used by the codec—The smaller the sample size, the better the call quality but the higher the bandwidth requirement (because more VoIP frames are sent per second, the overhead added by headers has a greater effect).
Design Considerations Planning Call Capacity For remote PSTN calls, you can use the RTAudio bandwidth estimates or the G.711 estimates. However, remember that Media Bypass requires the higherbandwidth G.711 codec. (See “Media Bypass” on page 2-17 for information about Media Bypass.) Table 2-11.
Design Considerations Planning Call Capacity Table 2-12. Estimate Concurrent Remote Peer-to-Peer Calls (Example) Usage Level Number of Users at That Level Estimated Concurrent Calls Total Estimated Concurrent Calls Light One remote peer-topeer call per user per hour X=0 X/15 = A = 0 A + B + C = D = E = 90 Medium Two remote peer-topeer calls per user per hour Y = 900 Y/10 = B = 90 Heavy Three remote peerto-peer calls per user per hour Z=0 Z/5 = C = 0 Table 2-13.
Design Considerations Planning Call Capacity Table 2-14. Estimate WAN Bandwidth Requirements (Example) Call Type My Estimate for Required Bandwidth My Number of Concurrent Calls Total Estimated Bandwidth Remote peer-topeer calls X = 39.
Design Considerations Planning Call Capacity Table 2-15. Bandwidth Requirements for Audio, Video, and Web Conferencing Feature Typical Bandwidth per Session Maximum Bandwidth per Session without FEC Maximum Bandwidth per Session with FEC RTAudio (8 kHz) 25.9 Kbps 39.8 Kbps 51.6 Kbps RTAudio (16 kHz) 34.8 Kbps 57 Kbps 86 Kbps RT Video CIF 203 Kbps 250 Kbps — RTVideo VGA 492 Kbps 600 Kbps — Video High definition 1.2 Mbps 1.
Design Considerations Planning Call Capacity Media Bypass Overview In the traditional Lync architecture, Lync clients communicate with Mediation Gateways, which then translate the calls for transmission to the PSTN (Media) gateway. With Media Bypass, the Mediation Server still helps to establish the PSTN call. However, after the call is established, clients can send Real-Time Protocol (RTP) media traffic directly to the PSTN gateway, encoding their calls with the correct codec themselves.
Design Considerations Planning Audio Quality See “Configure Media Bypass (Recommended)” on page 3-7 of Chapter 3: “Ready the Data Center for an SBM Deployment” for general instructions on enabling the feature. “Configure Media Bypass” on page 4-49 of Chapter 4: “Example Solutions” provides step-by-step instructions for an example Media Bypass configuration.
Design Considerations Planning Audio Quality Figure 2-4. Local PSTN Calls Calls to Lync users in remote sites and calls routed through a remote PSTN gateway pass through the LAN and also over the branch’s WAN connection.
Design Considerations Planning Audio Quality Figure 2-5. Remote Peer-to-Peer Calls Figure 2-6.
Design Considerations Planning Audio Quality In both the LAN and the WAN, the VoIP traffic competes with data traffic. Realtime traffic such as VoIP traffic requires special handling due to its special needs. VoIP traffic is low latency; it cannot tolerate delays. In addition, voice traffic must have low jitter: that is, the delay for each packet transmitted should be similar so that the receiver does not hear a difference in conversation. The traffic’s codec affects its sensitivity to jitter and lag.
Design Considerations Planning Audio Quality Table 2-17 shows how 802.1p values are mapped to queues on HP switches. Traffic in the queue with the highest number is forwarded first. Table 2-17. 802.1p Mapping to Queues 802.
Design Considerations Planning Audio Quality Table 2-18.
Design Considerations Planning Audio Quality HP Switch PoE LLDP-MED E4500-24-PWR X X E4500-48-PWR X X E5500-24-PWR X X E5500-48-PWR X X A3600-48-PoE E1 X X A3600-24-PoE EI X X A3600-24-PoE SI X X A3600-48-PoE SI X X A5120-48-PoE EI X X A5120-24G-PoE EI X X A5500-24G-PoE EI X X A5500-48G-PoE EI X X A5500-24G-PoE SI X X A5500-48G-PoE SI X X A5800-24G-PoE X X A5800-48G-PoE X X In addition, the Lync IP phones automatically mark all traffic with a Differentiated
Design Considerations Planning Audio Quality ■ Map DSCP 40 to 802.1p 5 or 6, which configures the switch to place the traffic sent by phones in the correct priority queue. ■ Enable the minimum number of queues required—Remember, having fewer queues gives each queue greater buffer space. However, you need one queue for each type of traffic that requires different handling. You must complete similar tasks on uplink switches: ■ Extend the voice VLAN throughout the network.
Design Considerations Planning Audio Quality Note The values for the service types are the default and recommended values. However, you can use different values if those values are already used by a different type of traffic. What is crucial is that the switches map the DSCP values to the correct 802.1p value and queue.
Design Considerations Planning Audio Quality When you set up QoS for the LAN, you ensured that the Lync clients marked audio and video traffic with the correct DSCP. Most WAN routers, including HP routers, can both honor the DSCP and preserve it so that other devices in the WAN continue to honor it. The administrator in charge of the WAN router simply needs to enable a QoS mechanism such as weighted fair queuing (WFQ) and set the mechanism to refer to DSCP.
Design Considerations Planning for High Availability Port 1 Port 1 Figure 2-7. Port Numbers on Telephony Cards Planning for High Availability The SBM is a survivable solution. This section describes the module’s highavailability features and its behavior during various failover situations. It also explains how you must deploy the module to ensure that it meets your requirements for high availability. High Availability Features The SBM has several links that can provide redundancy for each other.
Design Considerations Planning for High Availability On an HP E5400 zl Series switch, you can install redundant power supplies. The SBM itself connects to the HP zl switch on an internal port, which is highly reliable. Behavior During a WAN Outage If your branch office’s WAN link fails, the SBM continues to provide voice services.
Design Considerations Planning for High Availability Feature Supported in Normal Operation Supported during WAN Outage Branch users can place calls to Lync users at other sites in the enterprise. X (routed through the WAN) X (rerouted through the PSTN) Note that calls that were begun before the failure will be dropped and must be placed again. Lync users at other sites can place calls to local branch users.
Design Considerations Planning for High Availability This configuration ensures that branch users have access to Lync services in case they cannot reach the SBM. It is recommended that you use least cost routing with the SBM. That is, you create routes that direct calls through the SBM or PSTN gateway for which those calls are local, when possible.
Design Considerations Planning Security Planning Security This section helps you to plan an SBM solution that fits within your business’s security policies.
Design Considerations Planning Security • ■ ■ Use a GPO to configure a smaller range of ports for the RTP traffic. The registry entries are: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Lync\PortRange\MinMediaPort and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Lync\PortRange\MaxMediaPort. The range must include at least 40 ports, but you can include more. You can then open that range on your firewall.
Design Considerations Planning Security The tables in the following sections list the security hardening actions that HP has implemented at factory default settings—as well as the actions that you must not take because they cause the SBM implementation to fail.
Design Considerations Planning Security Table 2-20.
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveActive; should be in HKU\.DEFAULT\Control Panel\Desktop!ScreenSaveActive 1 HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaverIsSecure; should be in HCU\.
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload 1 HKLM\Software\Policies\Microsoft\Windows NT\Printers!DoNotInstallCompatibleDriverFromWindowsUpd ate 1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime; should be in HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp!MaxDisconnectionTime 60000 HKLM\SOFTWAR
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKLM\Software\Policies\Microsoft\Windows\Installer!SafeF orScripting 0 HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard!ExitOnMSICW 1 HKLM\Software\Policies\Microsoft\Windows\LLTD!EnableLL TDIO, HKLM\Software\Policies\Microsoft\Windows\LLTD!AllowLLT DIOOnDomain, HKLM\Software\Policies\Microsoft\Windows\LLTD!AllowLLT DIOOnPublicNet, HKLM\Software\Policies\Microsoft\Windo
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKLM\Software\Policies\Microsoft\WindowsFirewall\Domain %windir%\system32\logfiles Profile!LogFilePath; set in \firewall\domainfirewall.
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ 300000 KeepAliveTime HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ 0 PerformRouterDiscovery HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ 3 TcpMaxDataRetransmissions HKLM\System\CurrentControlSet\Services\Tcpip6\Parameter s\DisableIPSourceRouting 2 HKLM\System\CurrentControlSet\Services\Tcpip6\Parameter s\TcpMaxD
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting The remaining settings have a related registry path but are generally configured in this local security policy: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. In addition to the registry setting, the left column also displays the related parameter in this policy.
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKLM\Software\Microsoft\Windows\CurrentVersion\Policies \System\Kerberos\Parameters\SupportedEncryptionTypes Enabled: RC4_HMAC_MD5 AES128_HMAC_SHA1 AES256_HMAC_SHA1 Future Encryption Types Policy setting: Network Security: Configure encryption types allowed for Kerberos HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilit yLevel Send NTLMv2 Response only.
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKLM\System\CurrentControlSet\Services\LanManServer\Pa Enabled rameters\EnableSecuritySignature Policy setting: Microsoft network server: Digitally sign communications (if client agrees) HKLM\System\CurrentControlSet\Services\LanManServer\Pa Enabled rameters\RequireSecuritySignature Policy setting: Microsoft network server: Digitally sign communications (always) HKLM\System\CurrentControlSet\
Design Considerations Planning Security Table 2-21 displays the rules that HP has added to the SBM’s firewall. Table 2-21. Firewall Rules Added by HP at Factory Default Settings Rule Name Rule CS TCP444 dir=in,action=allow,localip=any,remoteip=any,protocol=any,profile= any,enable=yes CS rtcmedsrv dir=in,action=allow,program="%PROGRAMFILES%\Microsoft Communications Server 2010\Mediation Server\MediationServerSvc.
Design Considerations Planning Security Table 2-22.
Design Considerations Planning Security Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting HKLM\System\CurrentControlSet\Control\Lsa\DisableD omainCreds Enabled Policy setting: Network access: Do not allow storage of passwords and credentials for network authentication HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgor Enabled ithmPolicy Policy setting: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing HKLM\System\CurrentControlSet\Control\L
Design Considerations Planning Security Table 2-23. Settings that Might Cause Issues Setting’s Registry Path or Policy Path Windows 7 USGCB Recommended Setting Possible Issue Policy Path: Profile system performance = Administrators,NT SERVICE\WdiService Host A known Windows issue causes the WdiServiceHost to be written incorrectly. Refer to: http:// support.microsoft.co m/kb/2000705.
Design Considerations Planning Ease of Management Planning Ease of Management This section describes the options that you and others have for managing the SBM. Initial Installation Table 2-24 displays the tasks that must be performed to bring the SBM from the factory box to up and running. The entire process can be completed within one hour to an hour and a half depending on your environment. You can divide various tasks among different personnel, or you can have the same person perform the tasks.
Design Considerations Planning Ease of Management Estimated Time Task Reference 5 minutes Complete the SBM Setup Wizard up to joining the domain: • Setting the time • Configuring IP settings HP Survivable Branch Communication zl Module (SBM) powered by Microsoft LyncTM Administrator’s Guide 25 minutes Complete the rest of the SBM Setup Wizard: • Joining the domain • Installing components • Installing Lync certificates • Activating Lync • Replicating the topology • Configuring the PSTN settings • Star
Design Considerations Planning Ease of Management Remote Management You might have centralized solutions for monitoring and managing network assets such as the HP SBM. You can monitor the SBM remotely using one or more of these supported remote monitoring tools: ■ OpenView Agent ■ SNMP server ■ Syslog server ■ Microsoft Operations Monitor Agent You should refer to the documentation for your tool for instructions on using it to manage devices such as the SBM.
Design Considerations Planning Ease of Management SNMP MIBs Verify that your SNMP solution has the correct MIBs for your SBM. The SBM supports the following MIBs: ■ Microsoft/Windows OS MIBs ■ Intel NIC MIBs ■ Media Gateway MIBs The sections below explain where you can obtain the appropriate MIBs. Microsoft/Windows OS MIBs. You can find the Microsoft Windows OS MIBs on the SBM by accessing it using RDP. They are stored in the C:\Windows\System32 directory. You can identify them by the .mib file extension.
3 Ready the Data Center for an SBM Deployment Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Domain Administrator Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Verify Your Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Add the SBM Computer Object to the Domain . . . . . . . . . . . . . . . . . . .
Ready the Data Center for an SBM Deployment Overview Overview This chapter explains the tasks that must be performed to ready the data center for a successful SBM deployment. It will provide enough information for experienced Windows administrators to create a checklist of what they need to do. However, detailed guidelines are beyond the scope of this document. You should refer to Microsoft documentation for all such purposes.
Ready the Data Center for an SBM Deployment Domain Administrator Tasks Domain Administrator Tasks This section describes the tasks that a member of the Domain Admins group must complete to ready the domain for an SBM deployment. These steps must be completed before the CS Administrator adds the SBM to the Lync Server topology. Verify Your Groups First, ensure that your domain has the CS and RTC groups, which should have been added to the domain with the deployment of Microsoft Lync Server 2010.
Ready the Data Center for an SBM Deployment Domain Administrator Tasks Add Test Users for the SBM’s Health Monitoring Pool (Recommended) The SBM Setup Wizard includes a test that verifies that branch Lync users can successfully place calls through the public switched telephone network (PSTN). To generate the test calls, the SBM draws on the user accounts within its Health Monitoring pool. Although the pool can use existing user accounts, it is best practice to create test users just for the pool.
Ready the Data Center for an SBM Deployment Add the Survivable Branch to the Lync Server Topology Add the Survivable Branch to the Lync Server Topology Add the Branch Site and SBM to Lync Topology You must add the SBM to the existing Lync topology. Verify that the SBM computer object has been created in AD and its SPN defined. Then complete these tasks: Important 1. Use the Lync Server 2010 Topology Builder to define a branch site within a parent central site. 2.
Ready the Data Center for an SBM Deployment Add the Survivable Branch to the Lync Server Topology Create Voice Routing Policies and Normalization Rules for the SBM You need to create a voice routing policy for the branch site.
Ready the Data Center for an SBM Deployment Add the Survivable Branch to the Lync Server Topology Configure Media Bypass (Recommended) It is recommended that you configure Media Bypass for the SBM’s site. Otherwise, you might not be able to reach the maximum of 120 PSTN calls, or the call quality might suffer. See “Media Bypass” on page 2-17 for an overview of this feature. You enable Media Bypass from the Lync Server Control Panel.
Ready the Data Center for an SBM Deployment Add the Survivable Branch to the Lync Server Topology 4. You must now determine whether you also want to apply Media Bypass to calls from the branch that are routed out a PSTN gateway at the central site. Look at your bandwidth estimates for these calls. Does your WAN connection provide enough bandwidth if the calls use the G.711 codec as opposed to the RTAudio codec? Remember to take into account the fact that other traffic will travel over the WAN link.
Ready the Data Center for an SBM Deployment Ready a Certificate for the SBM Ready a Certificate for the SBM The person who performs the initial configuration of the SBM must install a Web Server certificate on it.
Ready the Data Center for an SBM Deployment Ready a Certificate for the SBM Whether you generate the certificate/private key file on your own Windows CA or obtain it from a third-party CA, the certificate must meet these criteria: ■ ■ Generated with the Web Server template or provides the same key and extended usages as this template: • Key usages: digitalSignature,keyEncipherment • Extended key usages: serverAuth Follows these guidelines for the subject name: • The subject name is a distinguished n
Ready the Data Center for an SBM Deployment Ready a Certificate for the SBM SBM Administrator Creates and Submits a Request This option has the security advantage that the private key is generated on the SBM and never leaves it. In addition, the SBM installer does not require any special domain permissions to generate the request. This option does, however, leave it up to the SBM administrator to enter the correct information for the request (guided by the Setup Wizard, which eliminates most errors).
Ready the Data Center for an SBM Deployment Communicate Information to the SBM Administrator The SBM administrator is a member of the RTCUniversalSBATechnicians group. You could give this group permission to enroll for Web Server certificates. Alternatively, you could have the domain administrator give the SBM administrator the credentials for an account that has this permission already.
Ready the Data Center for an SBM Deployment Communicate Information to the SBM Administrator ■ The credentials of the domain user in the RTCUniversalSBATechnicians group: Username: ___________________________________ Password: ___________________________________ ■ Either: • A .
Ready the Data Center for an SBM Deployment Communicate Information to the SBM Administrator Figure 3-1. SIP Ports ■ SIP transport protocol for communications from the Media Gateway to the Mediation Server: • TLS (recommended) • TCP This is the protocol defined for the SBM’s Mediation Server in the topology. ■ Primary SIP server port only if it is not standard This is the listening port defined for the SBM’s Mediation Server in the topology.
Ready the Data Center for an SBM Deployment Post-SBM Installment Tasks Post-SBM Installment Tasks After the SBM has been installed, a CS Administrator or CS User Administrator can assign branch Lync users to the SBM’s pool. Before completing this task, it is recommended that you verify that: ■ The SBM is installed and running. ■ The SBM installer has completed the Setup Wizard. Verify that the Lync test call was successful.
Ready the Data Center for an SBM Deployment Post-SBM Installment Tasks 3-16
4 Example Solutions Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Purchase Telephony Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Set Up the Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Add the SBM Computer Object . . . .
Example Solutions Contents Install the SBM and Complete the Setup Wizard . . . . . . . . . . . . . . . . 4-63 Install the SBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-64 Begin the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-64 Generate a Certificate for the SBM . . . . . . . . . . . . . . . . . . . . . . . . 4-78 Continue Installing the SBM and Completing the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Solutions Overview Overview This chapter provides step-by-step instructions for deploying an HP Survivable Branch Communication zl Module (SBM) powered by Microsoft LyncTM solution, including instructions for the tasks described in Chapter 2: “Design Considerations” and Chapter 3: “Ready the Data Center for an SBM Deployment.” Every SBM deployment is unique; this chapter provides a solution from which you can select the one closest to your environment to adapt.
Example Solutions Solution Figure 4-1. Example Network Topology As you can see, the company has a Microsoft Lync 2010 solution. Previously, all branch users registered to the Lync servers at the data center. If there was a WAN failure, however, this solution left the branch users without phone service. To protect the branch offices from this problem, the company is installing two SBMs, one at the Dallas branch and one at the Seattle branch.
Example Solutions Solution Figure 4-2. Example Network Topology Purchase Telephony Cards In the example, the large branch at Dallas has about 900 users. It is estimated that each user will make no more than two local public switched telephone network (PSTN) calls an hour. This includes calls that might be routed from other sites out this site according to least-cost routes.
Example Solutions Solution The medium branch at Seattle has about 250 users. Using the same criteria as at Dallas, you can estimate that the Seattle branch office needs 25 voice channels. The branch also has two fax machines. The company could purchase a Single-Port T1/E1 Telephony Card (24 channels with T1) and a TwoPort FXS/Two-Port FXO Telephony Card (support for two fax machines and two analog lines).
Example Solutions Solution Figure 4-3. Active Directory Users and Computers > [domain] > Computers Window 3. For Computer Name, type the name that you have selected for the SBM. For this example, type seattle-sbm.
Example Solutions Solution Figure 4-4. New Object - Computer Window 4. You must allow the SBM technician to add the SBM to the domain. Next to User or group, click Change. 5. Type RTCUniversalSBATechnicians. This group object is created automatically when you install the Microsoft Lync Server. Figure 4-5. New Object - Computer Window 4-8 6. Click OK. 7. Click Next and Next again in the next window.
Example Solutions Solution Figure 4-6. New Object - Computer Window 8. Click Finish. 9. Follow the same steps to add user accounts. For the solution outlined in this chapter, you would add the test user account for the Dallas site— dallas-sbm. 10. Open the ASDI editor (Start > Administrative Tools > ADSI Edit). 11. In the left navigation bar, select ADSI Edit and then click Action > Connect to.
Example Solutions Solution Figure 4-7. ADSI Edit Window 12. For Select a well known Naming Context, select Default naming context. 13. Leave other settings at their default settings. Figure 4-8.
Example Solutions Solution 14. Click OK. 15. In the left pane, expand Default naming context > [DC=] > CN=Computers (as shown in Figure 4-9). 16. Right-click the folder labeled with the SBM’s CN (in the example, CN=seattle-sbm) and select Properties. Figure 4-9. ADSI Edit Window 17. Scroll down to and select servicePrincipalName.
Example Solutions Solution Figure 4-10. CN= Properties 18. Click Edit.
Example Solutions Solution 19. Type HOST/. As shown in the figure, replace with the proper fully qualified domain name (FQDN) for the SBM, which is seattlesbm.example.hp.com. For this example, you would enter HOST/seattlesbm.example.hp.com. Figure 4-11. CN= Properties 20. Click Add. 21. Click OK. Then click Apply and OK until you have closed all windows.
Example Solutions Solution Table 4-2. 4-14 User Accounts Username Member of sbmtech Domain Users — RTCUniversalSBATechnicians Email Address seattle_test1 Domain Users seattle_test1@example.hp.com seattle_test2 Domain Users seattle_test2@example.hp.com dallas_test1 Domain Users dallas_test1@example.hp.com dallas_test2 Domain Users dallas_test2@example.hp.com 1. Log in to a domain controller server as a Domain or Enterprise Admin.
Example Solutions Solution Figure 4-12. Active Directory Users and Computers—Add a User to a Group 4. Type RTCUniversalSBATechnicians. 5. When you receive a confirmation that the user was added to a group, click OK. 6. Add the first test user account: a. Right-click the Users folder and select New > User. b. Configure the user’s name and login name. For this example, the login name is seattle_test1.
Example Solutions Solution Figure 4-13. New Object - User Window 4-16 c. Click Next. d. Configure the user’s password and password options. For the test user accounts in the example solution, you may want to clear the User must change password at next logon option. e. Click Next. Review the settings you have created for this user. If you need to change a setting, Click Back until you reach the relevant window and can make the change. f. Click Finish. g.
Example Solutions Solution Figure 4-14. User Properties iv. Click OK. 7. Note Repeat the steps in this section to create the other user accounts you will use to test this solution: • seattle_test2 • dallas_test1 • dallas_test2 Although this chapter focuses primarily on the steps for configuring the SBM at the Seattle branch, it is more efficient to create the test users for the Dallas site at the same time you create the Seattle test users.
Example Solutions Solution Create DHCP Reservations The administrators at the example company want to control the IP addresses for the SBMs, so they will create a DHCP reservation for each. These reservations are created in the scope for the voice VLAN at each branch. Table 4-3. Note SBM DHCP Reservations SBM Scope IP Address MAC Address Seattle SBM VLAN41(Seattle_Voice) 10.4.1.254 00-24-C5-39-59 Dallas SBM VLAN31(Dallas_Voice) 10.3.1.
Example Solutions Solution Figure 4-15. DHCP Server > [server name] > IPv4 > [scope] > Reservations Window a. Right-click Reservations and select New Reservation. b. For Reservation name, type a unique, descriptive name. c. For IP address, type the IP address that you want to assign to the SBM. For this example, type 10.4.1.254. d. For MAC address, type the MAC address of the SBM’s Ethernet interface 2 (for example, 0024C53959).
Example Solutions Solution Figure 4-16. DHCP Server > [server name] > IPv4 > [scope] > Reservations Window e. Click Add. Set up the Lync Solution for the New SBMs In this solution, the company already has a Lync Server 2010 solution. A CS administrator must prepare the solution for the new SBMs after the Enterprise or Domain Admin has added the SBM computer objects but before the SBMs are installed.
Example Solutions Solution Add the Survivable Branch to the Lync Server Topology To prepare the Lync solution for the new SBMs, you must first add the SBMs to your topology. The table displays the settings that you must know for each SBM. Table 4-4. SBM SBM Topology Settings FQDN SIP Transport Protocol PSTN Listening Port Mediation Server Port Seattle SBM seattle-sbm.example.hp.com TLS Default (5082) Default (5067) Dallas SBM dallas-sbm.example.hp.
Example Solutions Solution 4. Type a name and other descriptive information for your branch site. Figure 4-18. Lync Server 2010 Topology Builder > Define New Branch Site Wizard—Identify the site Page 5. Click Next. 6. Type information about the site’s location.
Example Solutions Solution Figure 4-19. Lync Server 2010 Topology Builder > Define New Branch Site Wizard—Specify site details Page 7. Click Next.
Example Solutions Solution Figure 4-20. Lync Server 2010 Topology Builder > Define New Branch Site Wizard—New Branch site was successfully defined Page 8. Leave the check box selected and click Finish. 9. A new wizard is launched for defining the survivable branch appliance, which is the SBM. Type the SBM’s FQDN. In this example, type seattlesbm.example.hp.com. This FQDN must match the one specified for the SBM’s Service Principal Name (SPN).
Example Solutions Solution Figure 4-21. Lync Server 2010 Topology Builder > Define New Survivable Branch Server—Define the Survivable Branch Appliance FQDN Page 10. Click Next.
Example Solutions Solution 11. Select the Front End pool at the central site that will provide services such as presence to the branch site. This pool will also automatically act as a backup (secondary registrar) for the SBM. Figure 4-22. Lync Server 2010 Topology Builder > Define New Survivable Branch Server—Select the Front End Pool Page 12. Click Next.
Example Solutions Solution Figure 4-23. Lync Server 2010 Topology Builder > Define New Survivable Branch Server—Select an Edge Server Page 13. If your site provides remote access, select the Edge pool at the central site that the branch site will use, and click Next. If your central office does not provide remote access, you will not have defined an Edge pool. In this case, simply click Next. 14.
Example Solutions Solution Figure 4-24. Lync Server 2010 Topology Builder > Define New Survivable Branch Server—Define the PSTN Gateway Page 17. Click Finish. 18. You should see your site within the Branch sites folder. Expand the site and then expand the Survivable Branch Appliances, Mediation pools, and PSTN gateways folders. The SBM’s FQDN should be listed under each.
Example Solutions Solution Figure 4-25. Lync Server 2010 Topology Builder (Branch Site Added) You would then complete the same steps for the Dallas SBM. Figure 4-26 shows the topology after the second SBM has been added. You can edit settings by clicking Edit Properties under Actions in the right pane.
Example Solutions Solution Figure 4-26. Lync Server 2010 Topology Builder (Second Branch Site Added) After defining the topology, you must publish it: 19. Click Lync Server 2010 at the top of the topology builder. On the Actions pane on the right, click Publish Topology. 20. In the Publish the Topology window that is displayed, click Next.
Example Solutions Solution Figure 4-27. Lync Server 2010 Topology Builder > Publish Topology Wizard > Publishing wizard complete Page Note If an error occurs, make sure that a Domain or Enterprise Admin has completed the following tasks: ■ Added the SBM computer object with the same hostname that you are using for the FQDN ■ Specified the SBM’s SPN with the same FQDN that you are using (SPN=HOST/) 21. After the wizard has successfully published the topology, click Finish.
Example Solutions Solution Table 4-5. Voice Policies Voice Policy Assigned to PSTN Usages Routes Seattle Seattle site LeastCost Seattle Dallas Sacramento Dallas Dallas site SeattleFailsafe AllSeattleSBM LeastCost Seattle Dallas Sacramento DallasFailsafe Table 4-6.
Example Solutions Solution Figure 4-28. Lync Server 2010 Control Panel > Voice Routing > Voice Policy Window 26. Click New > Site policy.
Example Solutions Solution Figure 4-29. Lync Server 2010 Control Panel—Select a Site Window 27. Select the Seattle site and click OK. 28. Configure a name for the policy, and under Calling Features select the features that you want the site to support. In this solution, these are the default features.
Example Solutions Solution Figure 4-30. Lync Server 2010 Control Panel > Voice Routing > Voice Policy > New Voice Policy Window 29. Create PSTN usage records that route traffic through the SBM: a. In the Associated PSTN Usages section, click New. b. Name the PSTN usage record. For the example solution, create the record for least-cost routing first. Type LeastCost.
Example Solutions Solution Figure 4-31. Lync Server 2010 Control Panel > Voice Routing > Voice Policy > New PSTN Usage Record Window c. In the Associated Routes section, click New. d. Name the route. First, create the Seattle route. e. Configure the rules for selecting calls for this route. The interface allows you to specify the leading characters for selected calls, from which it automatically generates the correct regular expression. You can also edit the regular expression yourself.
Example Solutions Solution Figure 4-32. Lync Server 2010 Control Panel > Voice Routing > Voice Policy > New Voice Policy > New PSTN Usage Record > New Route Window f. Scroll down the page until you see the Associated gateway section. In this section, click Add.
Example Solutions Solution g. Select the Seattle SBM. Figure 4-33. Lync Server 2010 Control Panel—Select Gateway Window 4-38 h. Click OK. i. Click OK in the New Route window. j. In the Associated Routes section of the New PSTN Usage Records window, click New. k. Follow the same steps to configure the Dallas route: – Name = Dallas – Starting digits for numbers that you want to allow = +1214. – Associated gateway = Dallas SBM l.
Example Solutions Solution Figure 4-34. Lync Server 2010 Control Panel > Voice Routing > Voice Policy > New Voice Policy > New PSTN Usage Record m. When you are finished adding routes to this PSTN usage record, click OK in the New PSTN Usage Record window. You are returned to the New Voice Policy window. 30. You will now create the SeattleFailsafe PSTN usage record, which routes all traffic through the Seattle SBM, ensuring that the SBM can forward all calls during a WAN failure. a.
Example Solutions Solution g. Select the Seattle SBM. h. Click OK. i. You are finished with this PSTN usage record. Click OK again. 31. In the New Voice Policy window, make sure that the PSTN usage record that routes all calls through the local SBM (SeattleFailsafe in this example) is at the bottom of the list. Figure 4-35. Lync Server 2010 Control Panel > Voice Routing > Voice Policy Window 32. Click OK in the New Voice Policy window.
Example Solutions Solution Figure 4-36. Lync Server 2010 Control Panel > Voice Routing > Voice Policy Window 33. Click Commit > Commit all. 34. A window displays the changes. Click Commit and then click Close. 35. Follow similar steps to create voice policies for other sites. For these sites, you can use the same LeastCost PSTN usage record. For example, to create the policy for the Dallas site, follow these steps: a. In the Voice Policy tab, click New > Site policy. b. Select the Dallas Branch.
Example Solutions Solution Figure 4-37. Lync Server 2010 Control Panel > Voice Routing > Voice Policy > Select a Site Window 4-42 c. Click OK. d. Configure a name for the policy, and under Calling Features select the features that you want the site to support. For the example solution, select the default features.
Example Solutions Solution Figure 4-38. Lync Server 2010 Control Panel > Voice Routing > Voice Policy > New Voice Policy Window e. In the Associated PSTN Usages section, click Select. f. Select the LeastCost record.
Example Solutions Solution Figure 4-39. Lync Server 2010 Control Panel > Voice Routing > Voice Policy > New Voice Policy Window g. Click OK. h. Remember to create the PSTN usage record, which routes all traffic through the local SBM. In the Associated PSTN Usages section of the New Voice Policy window, click New. i. For Name, describe the record. In this example, type DallasFailsafe. j. In the Associated Routes section of the New PSTN Usage Records window, click New. k.
Example Solutions Solution 36. Click OK in the New Voice Policy window. 37. Click Commit > Commit all. 38. In the Uncommitted Voice Configuration window, click Commit. Then click Close. For this solution, you will use the global dial plan, which normalizes numbers for transmission to the PSTN gateway, for all branch sites. This plan is configured by default, so you are finished creating the voice policies for the branch sites.
Example Solutions Solution Figure 4-40. Lync Server 2010 Control Panel > Users Window 2. 4-46 Click Enable users > Enable users.
Example Solutions Solution Figure 4-41. Lync Server 2010 Control Panel > Users > Users Window The New Lync Server User window is displayed. 3. In the Users section, click Add. 4. Use the search field to find the test branch users. For the example solution, look for the seattle_test1 and seattle_test2 users.
Example Solutions Solution Figure 4-42. Lync Server 2010 Control Panel > Users > Select from Active Directory Window 5. Select the users and click OK. 6. For Assign users to a pool, select the SBM’s FQDN. In the example, you would select seattle-sbm.example.hp.com for the Seattle test users. 7. Choose how the user’s URL is formulated in the Generate user’s SIP URL section. 8. For Telephony, select Enterprise Voice. 9. Configure other settings as appropriate for your environment.
Example Solutions Solution Configure Media Bypass In this section, you configure Media Bypass. This task should be completed by a CS Administrator. Follow these steps to enable Media Bypass if it is not already enabled: 1. In the left navigation bar on the Lync Server 2010 Control Panel, click Network Configuration. 2. Click the Global tab. Figure 4-43. Lync Server 2010 Control Panel > Users > New Lync Server User Window a. Click Edit > Show details. b. Select the Enable Media Bypass check box. c.
Example Solutions Solution Figure 4-44. Lync Server 2010 Control Panel > Network Configuration > Global Window d. Click Commit. You must now create your site configurations. In this solution, you define each branch with an SBM at its own site and assign the local subnets to that site. This configuration will apply Media Bypass to calls that originate from the same site as the PSTN gateway but not to calls that originate from other sites.
Example Solutions Solution Table 4-7. Branch Site Configuration Region Sites Subnets Company Seattle 10.4.1.0 24 Dallas 10.3.1.0 24 Follow these steps to create the Seattle site: 1. In the left navigation bar, click the Network Configuration bar. 2. Click the Sites tab. 3. Click New. Figure 4-45. Lync Server 2010 Control Panel > Network Configuration > Global > Site Window 4. For Name, type a descriptive name. For this example, type Seattle.
Example Solutions Solution 5. For Region, select the region to which the site belongs. For this example, select Company. 6. Click Commit. 7. Click the Subnets tab. 8. Click New. Figure 4-46. Lync Server 2010 Control Panel > Network Configuration > Global > Subnet Window 9. For Subnet, type the network address of the voice subnet at the site. For this example, type 10.4.1.0. 10. For Mask, type the prefix length for the subnet. For this example, type 24. 11. For Network ID, select Seattle. 12.
Example Solutions Solution Create the Health Monitoring Pool You must create a Health Monitoring pool for each SBM. You should have already assigned the test accounts to the SBM’s pool. (See “Assign Test Users to the SBM” on page 4-45.) Table 4-8. Health Monitoring Pool Configuration Pool FQDN First Test User URL Second Test User URL Seattle seattlesbm.example.hp.com sip:seattle_test1 @example.hp.com sip:seattle_test2 @example.hp.com Dallas dallas-sbm.example. hp.com sip:dallas_test1 @example.
Example Solutions Solution Figure 4-47. Lync Server Management Shell (NewCSHealthMonitoringConfiguration) Arrange for the SBM Certificate The SBM requires a certificate. When you install the SBM, you are prompted to generate a certificate request, which must then be submitted to a Certificate Authority (CA) that can generate a certificate for the SBM.
Example Solutions Solution If you need to change the value, us the Set-CsMediaConfiguration cmdlet. If you need to create a policy to enable QoS for your branch site, use the NewCsMediaConfiguration cmdlet. For example, enter: New-CsMediaConfiguration -Identity “site:Seattle Branch” The new configuration is displayed. By default, in the new configuration, QoS is disabled.
Example Solutions Solution 4. Right-click Default Domain Policy (or the domain policy that you use for the computers that run Lync) and select Edit. 5. Expand the Computer Configuration > Policies > Administrative Templates > Network > QoS Packet Scheduler folders. 6. Click DSCP value of conforming packets. Figure 4-49. Group Policy Management Editor Window 4-56 7. In the right pane, double-click Guaranteed service type. 8. Select Enabled.
Example Solutions Solution Figure 4-50. Guaranteed service type Properties Window 9. For this solution, you are leaving the default setting for DSCP value at 40. 10. Click OK.
Example Solutions Solution Figure 4-51. Group Policy Management Editor Window 11. If you plan to support video conferencing, follow these steps: 4-58 a. The DSCP value of conforming packets folder should still be selected in the navigation tree. In the right pane, double-click Controlled load service type. b. Select Enabled.
Example Solutions Solution Figure 4-52. Controlled load service type Properties Window 12. For this solution, you are leaving the default setting for DSCP value at 24. 13. Click OK. 14. Exit the Group Policy Management Editor window. 15. To update the policy immediately, open a command prompt. 16. Enter this command: gpupdate. Figure 4-53.
Example Solutions Solution Ready the Branch LAN Infrastructure This section includes instructions for configuring the networking switch (in which the SBM is installed) at the Seattle branch office—in this solution, an HP E8206 zl switch.
Example Solutions Solution Complete the following steps to configure the HP zl switch to support the Lync-based UC&C solution: 1. Create the voice VLAN and tag all switch ports that connect to IP phones for that VLAN. Seattle-8212zl(config)# vlan 41 Seattle-8212zl(config-vlan41)# name “Voice” Seattle-8212zl(config-vlan41)# tagged a1-a24, b1-b24,f1-f23 Seattle-8212zl(config-vlan41)# voice Seattle-8212zl(config-vlan41)# exit 2.
Example Solutions Solution Ready the Branch WAN Connection This section includes relevant configurations for the Seattle branch’s WAN router, which in this solution is an HP A-MSR20-40. Basic Router Configuration The router at the branch site uses this configuration to provide basic connectivity and to route traffic. (Your router might have other configurations.) Ethernet1/0 port link-mode route ip address 10.0.0.38 255.255.255.252 GigabitEthernet0/0 port link-mode route GigabitEthernet0/0.
Example Solutions Solution You must enter the commands on each router interface: [Seattle-A-MSR20-20] interface GigabitEthernet 0/0 [Seattle-A-MSR20-20-GigabitEthernet0/0] qos wfq dscp queue-length 64 queue-number 256 [Seattle-A-MSR20-20-GigabitEthernet0/0] interface Ethernet 1/0 [Seattle-A-MSR20-20-GigabitEthernet1/0] qos wfq dscp queue-length 64 queue-number 256 Configure Firewalls This solution features a firewall module that is installed in the branch office HP zl switch.
Example Solutions Solution Install the SBM First, install telephony cards in the SBM. Then install the SBM in the HP zl switch. During the installation, you must assign the SBM’s internal port 2 as an untagged member of the correct VLAN. The ID for the port is 2, in which is the letter for the lower slot in which the SBM is installed. For example, the command for the Seattle switch is vlan 41 untagged e2.
Example Solutions Solution Figure 4-54. IE Internet Options > Security Window d. Click Sites. e. Type the exact address at which you will contact the SBM initially. In this solution, you know the SBM’s IP address because it has been assigned an address with a DHCP reservation. Type https://10.4.1.254.
Example Solutions Solution . Figure 4-55. IE Internet Options > Security Window f. Click Add. The address will move to the Websites list. Figure 4-56. IE Internet Options > Security Window (Site Added) 2. g. Click Close. h. Click OK. In your Web browser, for the URL enter: https://. You know this IP address because the SBM is receiving a fixed DHCP address. For this example, enter: https://10.4.1.
Example Solutions Solution 3. A warning is displayed that there is a problem with the site’s certificate. Figure 4-57. IE 7—Certificate Security Warning Window Initially, the SBM uses a self-signed certificate, so your browser does not trust it. Click Continue to this website (not recommended). Note If you cannot access the SBM at this IP address, you must access it through the HP zl switch CLI and check or set the IP address.
Example Solutions Solution Figure 4-58. Setup Wizard—Reset Password Page 6. For Old Password, type the default password (P@ssw0rd). 7. The new password must match standard Windows password complexity requirements, which are that the password includes at least three of the following: 8. 4-68 • A lowercase letter • An uppercase letter • A number • A special character When you have set the new password, click Submit. You are prompted to log in again. Use the new credentials.
Example Solutions Solution Figure 4-59. Setup Wizard—Connection to Window 9. If you want, read through the product overview. Click Next. 10. The next page provides an overview of the setup process.
Example Solutions Solution Figure 4-60. Setup Wizard > Installation Process Overview Page 11. Click Next. 12. In this solution, the SBM is already using the correct network settings.
Example Solutions Solution Figure 4-61. Setup Wizard—Configure IP Settings Page 13. Leave the current interface enabled (this is the interface mapped to the SBM’s internal port 2, and disabling it causes the module to fault). Click Next. 14. The SBM takes its clock from the HP zl switch in which it is installed. However, you must set its timezone and Daylight Saving Time policy. These settings must match those settings on the HP zl switch, or the installation will fail.
Example Solutions Solution 15. Select your timezone from the Set Timezone list. In this example, select the Pacific timezone. Figure 4-62. Setup Wizard—Configure System Time 16. If you enabled Daylight Saving Time on the switch (as you did in this solution), leave the check box selected. 17. Click Set Time Zone. Note Changes to the HP zl switch time will not take effect on the SBM until the SBM reboots. 18. Click Next. 19. On this page, you join the SBM to the domain.
Example Solutions Solution 20. Next, type the credentials for a domain user allowed to join the SBM to the domain. For this example, type sbmtech and the password assigned to this user. 21. For Domain, type the entire domain name including the top-level domain (for this example, example.hp.com). Figure 4-63. Setup Wizard—Join the Domain 22. Click Join. 23.
Example Solutions Solution Figure 4-64. Setup Wizard—Reboot Countdown 24. While the SBM reboots close the Web browser interface, which ensures that you are properly logged out. 25. After the SBM has rebooted, open the Web browser, log in as the sbmtech user, and navigate to the SBM’s FQDN. 26. When prompted to log in, do not log in as the local Administrator.
Example Solutions Solution Figure 4-65. Setup Wizard—Initiate Installation Process Page 28. When all tasks have been completed successfully (this might take about ten minutes), click Next. Next you install certificates on the SBM. In this solution, the domain has a CA, and the root CA certificate was automatically installed on the SBM when it joined the domain. Therefore, you do not need to install the root CA certificate chain. You have several options for installing the SBM’s own certificate.
Example Solutions Solution administrator. (To learn about other options, refer to the HP Survivable Branch Communication zl Module powered by Microsoft LyncTM Administrator’s Guide.) 29. In the Install Lync Server Certificates page, select Generate Certificate Request. Figure 4-66. Setup Wizard—Install Server Certificates > Generate Certificate Request 30. The Subject Alternate Name field is automatically populated with the SBM’s FQDN. Leave this field as it is. 31.
Example Solutions Solution Figure 4-67. Setup Wizard—Install Server Certificates > Generate Certificate Request 33. Copy all of the text in the box into a file on your management station. (You can use a simple text editor such as Notepad.
Example Solutions Solution Figure 4-68. Certificate Request Save in Notepad 34. Save the file and submit it to the domain CA administrator. Generate a Certificate for the SBM When the CA administrator receives the certificate request (which will arrive during the SBM installation process), he or she completes these steps: 4-78 1. Log in to a computer as a user with CA Administrator rights. 2. Transfer the SBM certificate request file (which you received from the SBM administrator) to this computer.
Example Solutions Solution Continue Installing the SBM and Completing the Setup Wizard 1. You must wait for your data center contact to return a certificate file to you before you complete step 4 on the Generate Certificate Request Page (Import Certificate to System Store). When you receive the file, transfer it to your management station. 2. In the Setup Wizard, you are at 4. Import Certificate to System Store. Browse to the file. Figure 4-69.
Example Solutions Solution Figure 4-70. SBM Web Server Certificate Updating 4-80 5. You may need to log in again on the certificate window and click Next. 6. In the next page, you will configure your PSTN settings. Click PSTN Setup Wizard.
Example Solutions Solution Figure 4-71. Setup Wizard—Quick Setup Start Page 7. In the window that is displayed, click Next. 8. The Boards section is automatically populated with the telephony cards that you have installed in the SBM. Select the check box for a board that you want to use. 9. The Interfaces section is automatically populated with an interface for each interface on the card. Select the check boxes for the interfaces that you want to use.
Example Solutions Solution Note When you select a second check box in the Select Boards section, you no longer see the interfaces for the first board in the Select Interfaces for Board section. However, the interfaces on the first board are still selected. 11. If you have FXS interfaces, you must fill in the Caller Name and Phone Number for each. (Refer to your PSTN carrier for the correct phone numbers.) Enter the full phone number, but not the E.164 number.
Example Solutions Solution Figure 4-73. Setup Wizard—Country Selection Page 14. Click Next. Figure 4-74. Setup Wizard—PSTN Digital Configuration Page 15. You should have obtained the correct settings for your PSTN connections from your carrier. In this example, you are using the default T1 values. 16. Click Next. 17. For Transport, select the protocols that your data center contact told you to use for the Media Gateway’s (PSTN gateway’s) listening protocol.
Example Solutions Solution Figure 4-75. Setup Wizard—SIP Configuration Page 19. Leave the default setting for Primary IP Address. 20. For Media encryption level, select Require Encryption. (This is the setting for this solution; you could also leave the default setting.) 21. Click Next. The Call Routing Configuration page is displayed. 22. The SIP Transport for outgoing calls field is automatically populated with TLS. 23. For Primary SIP Server Address, type the SBM’s FQDN.
Example Solutions Solution Figure 4-76. Setup Wizard—Call Routing Configuration Page 25. The PSTN Outbound Number Mask is a regular expression that selects incoming phone numbers and maps all or part of the number to the dialed number in the outbound PSTN call. The default setting selects E.164 numbers and leaves them as they are. Lync calls always have a leading +. For this example, the PSTN gateway does not accept calls with the leading +, so you need to strip it.
Example Solutions Solution Figure 4-77. Setup Wizard—Services Configuration Page 29. It is recommended that you leave both check boxes selected. 30. Click Save. Figure 4-78. Setup Wizard—Post Quick Setup Script Window 31. After a minute, you will see the output for the execution of the settings that you configured. You should not see any errors.
Example Solutions Solution Figure 4-79. Setup Wizard—Post Quick Setup Script Window 32. Click Next.
Example Solutions Solution Figure 4-80. Setup Wizard—Quick Setup Complete Window 33. You have completed the configuration, but it does not apply until you restart the gateway. Click Restart Gateway to do so now. 34. You are moved to a window where you can check the gateway’s status. The status should be running. Figure 4-81.
Example Solutions Solution 35. To finish the PSTN Wizard, close the window using the X in the top right corner of the window. 36. Once the Media Gateway is running, connect your PSTN interface or interfaces to the carrier equipment. Use the standard cables specified for your card (refer to the installation guide for that card). Important On a T1/E1 card with multiple interfaces, the card uses the clock signal from the first interface (Port 1) to support echo cancellation.
Example Solutions Solution Figure 4-83. Setup Wizard—PSTN Config Window b. Click Physical Configurations and expand the folder. c. In the left pane, select the analog board. d. Click Analog Configuration in the right pane. e. For Analog Clocking, select External. Figure 4-84. Setup Wizard—PSTN Config Window f. 4-90 Click Save and close the PSTN Config window (click the X in the top right corner).
Example Solutions Solution 40. To apply your changes, you must restart the gateway. Click Stop under Media Gateway Status in the PSTN Configuration page. After the status indicates that the gateways has stopped, click Start. 41. Click Next in the PSTN Configuration page. In the next page, you initiate a PSTN call to test the connection. However, you chose to require encryption for SIP, which causes the call to fail.
Example Solutions Solution Figure 4-86. Setup Wizard—Start Lync Services Page (Success) 44. Click Next. 45. You will now place a test call. For the purposes of troubleshooting, you might want to log your test calls. If so, in the Troubleshoot PSTN Configuration section, click the Start button next to Call Logging. You can view the logs by clicking the PSTN Call Logs link. In addition to viewing the logs in this window, you can download them. The logs are XPS files.
Example Solutions Solution Caution Logging calls is processor intensive and will affect your SBM’s performance. Only use call logging for troubleshooting. In addition, the HP SBM is capable of logging information that is considered private in some countries. Local privacy restrictions must be considered whenever logging is enabled. Access to log files should be carefully controlled.
Example Solutions Solution Figure 4-88. Setup Wizard—Place Lync Test Call (Success) 47. After the call succeeds, click Stop next to Call Logging if you have enabled this feature. 48. The Installation and Configuration Complete page displays the status for each of the services running on the SBM. 49. Click Finish Installation Process to launch the SBM Dashboard, from which you will monitor the SBM and perform any ongoing maintenance tasks. 50.
Example Solutions Solution Figure 4-89. Lync Server 2010 Control Panel > Users Window 2. In this solution, the users are already Lync users. Use the Search field to find the users. 3. Select the users. Then click Action > Move selected users to pool. It is recommended that you do not select the Force check box as this option deletes data associated with the user.
Example Solutions Solution Figure 4-90. Lync Server 2010 Control Panel > Users Window 4. For Destination registrar pool, select the correct SBM’s FQDN. In this example, select seattle-sbm.example.hp.com. Figure 4-91. Lync Server 2010 Control Panel > Move Users Window 5. Click OK. The SBM deployment is now complete.
Example Solutions Test Results Test Results Branch and HQ Site Interoperability (1) Test Methods Test voice and video calls are places between the HQ and various branch sites. The calls are placed and monitored by two engineers for no major errors before the MOS scores are generated from the QoE monitor. The specific call configurations, packet loss, and latency scenarios are documented in Table 4-10 below. Table 4-10.
Example Solutions Test Results Branch Network Condition Scenarios Average Jitter Lync Average NMOS OCS 14 New York to Dallas 80% pipe full 55 ms latency each way 25% packet loss • Soft client to soft client • 1 • Soft client to IP phone client • 1 • IP phone client to IP phone • 1 client • 4.2 • 3.8 • 3.75 Main site (Sacramento) to 80% pipe full 75 ms New York latency each way 5% packet loss VGA video quality 2 4.12 Seattle to New York VGA video quality 2 4.
Index Numerics 802.
domain group add the SBM to the Lync topology … 3-2 manage SBM … 3-3 requirements for SBM … 2-35, 3-3 domain join example … 4-72 group allowed to join SBM … 4-8 drivers … 1-5 DSCP overview … 2-25 set with GPO … 4-55 E E1 connect cables … 4-89 frame format … 1-22 echo cancellation requirements for … 2-28, 4-89 Edge Server … 1-9 Enterprise Voice … 4-48 ESF frame format … 1-22 Ethernet interface MAC address (SBM) … 3-4 SBM … 1-3 F FEC … 2-13 firewall configure … 4-63 requirements for open ports … 2-33 SBM de
Lync client bandwidth requirements … 2-5 supported … 1-10 Lync Server certificates See certificates Lync Server Control Panel … 2-51, 4-32 Lync Server Management Shell … 2-51 Lync Server Topology Builder … 2-51, 4-21 Lync test call … 4-93 Lync users add to SBM pool … 3-15, 4-94 maximum … 2-4 M MAC address (SBM) … 3-4 management … 2-49 local … 2-50 remote … 2-51 mask (outbound number) … 4-85 Media Bypass bypass IDs … 3-7 configuring … 4-49 overview … 2-17 recommendations … 3-7 region … 3-7 setup … 4-49 site
Q QoS enabling in Lync … 2-26, 4-54 for VoIP (Lync) … 2-19 GPO for … 4-55 Lync softphone … 2-26 SBM ports … 2-27 WAN … 2-27 queue (802.
tested solution quality … 4-97 steps … 4-6 topology … 4-3 timezone … 4-71 TLS port … 1-12 set for SBM … 4-27 topology add SBM … 3-5, 4-21 replicate on SBM … 4-74 U USB slot … 1-4 user account CS Health Monitoring pool test users … 4-13 SBM installer … 4-13 V voice mail … 2-31 voice policies creating … 4-32 example … 4-32 W WAN bandwidth requirements … 2-13 WAN outage available features in branch … 2-30 DNS requirements for … 2-32 SBM functionality … 1-18, 2-30 WAN router example configuration … 4-62 prov
6 – Index
Manager Controller Ma
Technology for better business outcomes To learn more, visit www.hp.com/networking © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP will not be liable for technical or editorial errors or omissions contained herein.
