Mobility: Connecting Remote Workers TeliaSonera SIP Trunking Deployment © 2011 Intertex Data AB Prepared for:Ingate Systems 3 Day Seminar Unified Communications: SIP Trunking, Video, Collaboration and More ITEXPO Conference, Austin, September 2011 By: Karl Erik Ståhl President Intertex Data AB CEO and Chairman Ingate Systems AB Also see Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011!
© 2011 Intertex Data and Ingate Systems What are Mobility and Remote Users? We certainly want our home workers connected to the company PBX And the same goes for our road warriors -at the hotel -at public WiFi All should have all PBX services -Reached by extension number or DID -Place PSTN calls (displaying correct CallerID) -Voice mail, conferencing etc. -Presence, IM, video if supported by the PBX Call me on my Swedish office number now! 2 slides from Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011!
INGATE LAN ingate.com Internet US, Miami THIS LAN, SIP Trunk-UC Summit CELL PSTN INTERTEX LAN intertex.se Sweden 3G PSTN SIP/PSTN Gateway SIP Trunk Provider 1 PSTN SIP/PSTN Gateway SIP Trunk Provider 2 Japan
We Saw Mobility and Beyond POTS Ordinary phone calls reach my laptop across the Ocean! I can use extension number as connected to the home PBX And I see presence and can put calls into conference… I can also: Call Sophie in another domain (federate) … even with Video … even though, she is also remote from the Ingate office (Actually she is in the room.) … with media going the shortest way (here on the LAN) while signaling goes back to Sweden!
© 2011 Intertex Data AB 5 We Saw Mobility and Beyond POTS All other PBX functionality also works remotely E.g. IM (Instant Messaging) And voice mail comes via , and can be played by a click here.
© 2011 Intertex Data AB 6 But Why are NATs and Firewalls Such Obstacles Typical Internet protocol (SMTP, HTTP…) Internet HOST SERVER SIP (and H.323…) connects Person-to-Person Internet PERSON Locate the personSet up a session + Open real time media streams +
© 2011 Intertex Data AB 7 SIP Does It! – But a Very General Solution is Required PSTN Public Internet SIP Trunking Provider GW SIP System Data & VoIP LAN IP-PBX Soft Clients and Multimedia Terminals Intertex IX78 E-SBC The SIP Proxy in the E-SBC forwards and rewrites the SIP signaling and controls media through its NAT/Firewall. Remote User DNS intertex.se
© 2011 Intertex Data AB 8 And there May be More to Consider (Telia Network)… IX78 E-SBC is a SIP Proxy based Firewall Controlling SIP Signaling and Media TR-069 Internet IP-TV VoD IP-TV VoD IMS VoIP IMS VoIP PDA VLANs or ADSL Virtual Circuits The Multimedia LAN WiFiWiFi IP- PBX SIP Trunk Remote User The remote user is often behind a remote NAT/FW – SIP Traversal needed. Far End NAT Traversal (FENT) can be enabled in the IX78 E-SBC. NAT FW SIP on different WAN pipes must be handled
© 2011 Intertex Data AB 9 Remote Users Require More Security Measures Remote users to the PBX can be authenticated by the IX78 (also) Brute Force Attack Protection Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100 trials/second have been seen (e.g. SipVicious / friendli-scanner). After 3 trial we pretend all attempts are wrong, so the correct one is never found.
© 2011 Intertex Data AB 10 …in Addition to e.g. Preventing SIP DoS Attack Signature Recognition If the internal SIP proxy detects known signatures in SIP headers from attackers, it instructs the internal firewall to block attacking IP address. New signatures can be added manually or provisioned automatically. SIP Rate Limiting: If there are more than 20 SIP packets/seconds from the same IP address, the internal firewall blocks that IP address for 20 seconds and does not respond to that IP address until the SIP packet rate is below 3 packets/seconds.
11 Different Types of PBXs are SIP Trunked Data LAN only PBX with system system phones phones PBX Type 1.5 VoIP & Data LAN PBX Type 2 IP- PBX PBX Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot. A Good E-SBC Should Provide: 1)NAT/Firewall Traversal – Must NAT to same address space! 2)Basic SIP and Network Interoperability - E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc. 3)SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc. 4)Features - E.g. Remote Users, Administration (remote and local) 5)Security - LAN/PBX/VoIP network protection, Service attack protection VoIP & Data LAN IP- PBX PBX PBX Type 1 Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk. SIP Trunk Interface Signaling: Media: SIP Trunk PSTN SIP Trunking Provider Network GW SIP System 2) 3) 4) 5) IX781) 2) 3) 4) 5) But they may not have SIP Phones...
© 2011 Intertex Data and Ingate Systems 12 Remote Users Supported If the PBXs uses SIP compliant phones IX78 E-SBC set up to forward incoming SIP to the PBX Can use WAN IP address or domain name in the SIP address. The E-SBC can authenticate the users Remote users should preferably also be behind an Intertex/Ingate E-SBC for automatic NAT/Firewall traversal If the remote user is behind an ordinary NAT/Firewall (non SIP aware), FENT (Far End Nat Traversal) can be enabled in the IX78 E-SBC If non-SIP IP phones are used, the PBX vendor may have some tunneling solution for remote workers The IX78 not involved Standard SIP phones (local or remote) can also be registered directly to the IX78 E-SBC Directly ready for remote users The E-SBC will authenticate the users Extension numbers can be integrated Not all PBX features will be available to such phones
© 2011 Intertex Data AB 13 PBX with non-SIP phones SIP Clients Can be Registered Directly to the IX78 E-SBC There are many PBXs out there that do not allow Soft Clients, Remote Users or Standard SIP Phones. Registrar Soft Client WiFi Mobile Remote Users Numbers integrated
14 E-SBCs & SIP Capable Firewalls Ingate Systems Inc. 7 Farley Road Hollis, NH United States Ph: +1 (603) Tel sv: Intertex Data AB Rissneleden 45 SE Sundbyberg Sweden Tel: See us at ITEXPO Room 9C!
© 2011 Intertex Data AB 15 Ordinary Voice IADs – Good for Telephony Replication… Internet The 5060 SIP-port is just grabbed on the outside to the FXS ports! Lower level SIP ALGs often cause problems and do not handle more than basic scenarios. SIP to the LAN or WiFi Calls between SIP clients on LAN Calls between internal ATA ports and LAN clients Call transfers, 3-party calls, etc. Using SIP generally over the Internet (Operator took all the SIP) (Users must not be deprived of general SIP-functionality!) Often problems with, or total lack of: Telephone ports (FXS) on the CPE is a popular way to deploy IP telephony. By logically placing the SIP clients on the outside of the NAT/Firewall, unreliable work-around methods like STUN, TURN and ICE become unnecessary. However, this only gives POTS replication, often even stopping general SIP based services!
© 2011 Intertex Data AB 16 No battery draining of WiFi mobile phones, otherwise caused by keep-alive packets* inhibiting sleep mode. * Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open. Our CPEs are SIP Capable NAT/Router/Firewalls Internet Problems solved where they occur Wired or wireless SIP clients (phones, soft clients, PDAs) No special requirements on the SIP Client – Just standard SIP SIP All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT General, can handle complex call scenarios and all SIP services Additional functionality available (SIP server, PBX functionality etc.) IMS