Release the full potential of your Cisco Call Manager with ... branch offices with CCM 4.x or 5.x
12
Release the full potential of your Cisco Call Manager with Ingate Systems -Save cost with flexible connection to Service Providers. -Save mobile costs, give VoIP mobility to your workforce. -Setup an effective VoIP architecture for branch offices.
Transcript of Release the full potential of your Cisco Call Manager with ... branch offices with CCM 4.x or 5.x
Release the full potential of your Cisco Call Manager with Ingate Systems
-Save cost with flexible connection to Service Providers. -Save mobile costs, give VoIP mobility to your workforce. -Setup an effective VoIP architecture for branch offices.
Table of contents Connection to Service Providers with CCM 4.x and 5.x ....................................................................................1
Connecting to Service Providers without Ingate .............................................................................................1 Connecting to Service Providers with Ingate...................................................................................................2
Connecting branch offices with CCM 4.x or 5.x..................................................................................................5 Connecting branch offices without Ingate .......................................................................................................5 Connecting branch offices with Ingate .............................................................................................................6
Connect Remote Users to CCM 5.x.......................................................................................................................7 Connect Remote Users without Ingate .............................................................................................................7 Connect Remote Users with Ingate ...................................................................................................................8
Connect Remote users for basic call to CCM 4.x ................................................................................................9 About this document The purpose with this document is to give an overview of how Ingate can add value to any Cisco Call Manager installation for the following scenarios:
• Connecting to Service Providers SIP Trunks • Connecting branch offices • Support for Remote Users (CCM 5.x only)
We also discuss how the issues most commonly are solved without Ingate products and the specific benefits of implementing a infrastructure with Ingate Firewalls or SIParators.
Connection to Service Providers with CCM 4.x and 5.x Cisco Call Manager (CCM) version 4.x and 5.x both have support for SIP trunks. SIP trunks provide connectivity to other SIP devices such as gateways, proxies, voicemail systems, and other Cisco Call Manager clusters. It can thus be used for connection to Service Provider’s PSTN Gateways over the Internet.
Connecting to Service Providers without Ingate The most common method today to connect the Cisco Call Manager to a Service Provider is by a local PSTN Gateway on the LAN (Fig1).
Figure 1 Another method is to use the built in SIP trunk functionality in Cisco Call Manager (CCM) to connect to a Service Provider (Fig 2), this is common when the CCM is managed by the Service Provider.
InternetPSTN Gwy
PhonePhonePhone
PSTN
SIP Trunk from Service Providervia MPLS (or Dedicated line).
Firewall
PCLaptop
Call Manager 4.x or 5.0
Figure 2
1
SIP traffic can not traverse tight enterprise firewalls. To overcome this issue the SIP trunks in this case are delivered with some sort of dedicated MPLS - Service Provider Managed VPN with guaranteed Quality of Service (QoS) - or as a dedicated line. The result is that the enterprise is tied into the specific Service Provider that delivers the PRI showed in Figure 1 or the SIP trunk showed in Figure 2. The enterprise can not save costs in making “Global Calls to local fees” by connecting to the new type of Service Providers that offers local PSTN break-outs over the Internet. On the other hand the enterprise will be able to hold the Service Provider responsible for delivering a certain quality in the Service Level Agreements. However, the core network of the Internet is often not a bottle neck today. The last mile to the network can be, but with the right QoS prioritization and admission control at the enterprise edge this is more a theoretical than a practical problem. In fact, many traditional Service Providers use the Internet to deliver long distance calls anyway from one country to the other.
Connecting to Service Providers with Ingate There is a big potential to save costs by using IP-telephony as it was supposed to be, to use IP as much as possible from one person (or enterprise) to the other. In addition there is a cost saving potential to use the same Service Provider link for both data and voice. With a SIP trunk instead of a local PSTN Gateway the enterprise will save significant cost by:
• Not having to pay charges for BRI/PRI connections. • Not having to buy and maintain the local PSTN Gateway. • Not having to buy additional PSTN Gateway HW as the need for more lines grows. • Obtain better redundancy of the PSTN connectivity.
However, to benefit from this cost saving, the issue of traversing firewalls must be solved in a secure and controlled way. In addition to this, intelligent SIP routing must be applied to get the most out of the solution. Ingate Systems have been committed to bring SIP to the enterprise ever since we launched the world’s first SIP capable Firewall already in 2001. Our award winning SIParator® connects to any enterprise Firewall to make it SIP capable. In Figure 3 below Ingate SIParator enables a joint MPLS SIP trunk and data (Internet) connection from a Service Provider.
Figure 3
InternetPSTN Gwy
PhonePhonePhone
PSTN
SIP Trunk and Data fromService Provider via MPLS.
PCLaptop
Call Manager 4.x or 5.0
Firewall without
SIP support SIParator with Advanced SIP Routing
DMZ
2
Many service providers’ offers SIP trunks over Internet at a best effort service level. There is significant cost to be saved by utilizing the existing Internet infrastructure for voice delivery. An acceptable level of quality of service can be obtained by over provisioning the capacity of the Internet link so that the last mile connection to the enterprise never becomes a bottleneck. Figure 4 below shows how the enterprise can connect to the PSTN in a very flexible way by using multiple SIP trunks directly to the Service Providers over the Internet. Note that there is no VPN, MPLS or dedicated line involved in this example.
SIP Trunk(s) from Service Provider(s) via Internet
Firewall without
SIP support
SE
UK
USAFR JP
DE
IT
SIParator with Advanced SIP Routing
DMZ
InternetPSTN
PSTN
PSTNPSTNPSTN
PSTN
PSTN
Call Manager 4.x or 5.0
PhonePhonePhonePC
Laptop
Figure 4 Of course it is possible to combine both of the delivery methods in Figure 3 and 4 to get an optimal solution, and even keep the existing local PSTN Gateway for local calls, or as a backup solution. The enterprise may want to have a MPLS based SIP trunk for guaranteed QoS for local calls (Fig. 3) while utilizing the Internet based SIP Trunk for some overseas calls (Fig. 4) In both cases the Ingate SIParator® 1 enables SIP through the enterprise firewall and authenticates to the Service Provider. Note that this can not be done with the simple SIP Application Layer Gateway (ALG) functionalities that reside in some Firewalls with basic SIP support. Ingate’s flexible Advanced SIP Routing module is able to route local calls to the local PSTN Gateway or to any of the different SIP trunks based on a number of parameters including but not limited to country codes. This advanced functionality is not available in the SIP ALG based products. Very soon most service providers will support encrypted media SRTP to prevent eavesdropping on conversations. This is another functionality that can’t be supported in the SIP ALG solution. Ingate supports a future proof migration path from PRI/BRI connections over SIP trunks via MPLS to the freedom to connect to any service provider over the Internet. 1 Anything said about the SIParator also applies to the Ingate Firewall, if not explicitly stated differently.
3
Benefits of this solution Features that Ingate brings to this2
Save connection cost Use of the Internet connection instead of paying for PRI interfaces. Save the cost of the local PSTN Gateway, better redundancy.
No need to have a local PSTN Gateway in the enterprise. No issue with PSTN Gateway that must be maintained and may break down. The Ingate device is needed anyway to support other SIP communication such as IM and Application Sharing.
Flexibility for the growing enterprise.
The enterprise can grow the number of lines by just adding more traversal licenses (one per concurrent call) up to the capacity of the Ingate device. No additional investment in hardware is required as in the case of PSTN Gateways.
Global calls to local fees. Near-End-NAT traversal. Authentication to Service Providers. Freedom to connect to any SIP trunking Service provider over the Internet. Flexibility to interoperate with carrier –specific numbering plans.
Least cost routing of international calls.
Ingate can match on country code and connect to a local Service Provider or to a local PSTN Gateway at the local branch office.
Fail over to “backup SIP trunking Service Provider”.
If Ingate detects that the primary service provider is not responding or responds with an error message, the call can be routed to another Service Provider or to the optional local PSTN Gateway on the LAN.
Stay on IP as long as possible. Ingate can perform ENUM lookup to route the call IP-IP all the way if possible. Protection from eavesdropping. Ingate supports encrypted SIP Signaling TLS, which makes it harder to track a call. In
addition we support encrypted media SRTP. Prevent unwanted traffic. Ingate can be set to match SIP messages on the From headers (both user name and
domain) as well as on Request URI (both user name and domain). When a request URI is forwarded it can be rewritten to map to certain requirements like changed user name and domain. This gives the ability to specify which SIP traffic should be allowed and to filter out unwanted traffic based on where the traffic came from: using either the originating domain or even the IP address. Black list/white list functions allow for stopping known unwanted traffic like SPIT (Spam over Internet Telephony).
“Virtual local presence” for customers.
Ingate can route any incoming calls to certain groups or numbers. Example: The enterprise may have a local phone number in the UK to give customers a local number to call. Ingate can route e.g +44-567 56 765 to sales@enterprise domain or to a number at the sales department. When a call to the UK is made the number +44-567 56 765 can be showed to the customer. In this way a sales person can be in Stockholm and appear local to the customer in UK.
Advanced routing of calls Ingate Advanced SIP Routing software module gives the administrator a flexible tool to define rules for routing of calls. Just to mention a few examples, incoming calls can be forwarded in sequences (hunt groups); meaning, a call can first be routed to one person’s phone, then routed to another line (and eventually to voicemail) if there’s no answer. Calls can also be forwarded in parallel (forking): sent to several people at once then delivered to the one who picks up the call first. This flexibility offers any enterprise choices in the way they set up their communication environment to guarantee that all calls will be handled in the best possible way and not left unanswered.
Support for Emergency Calls. Ingate also includes support for emergency calls as we always allow emergency calls to be routed through to the emergency services center, even if all traversal licenses are in use at that time.
Use of low cost accounts at the Service Provider.
Some service providers offer so called soft accounts intended for a software client. Given that the agreement allows multiple users for a single account, significant cost may be saved by registering the Ingate device at the Service Provider rather than multiple software clients. Some of these account types may even have a flat fee per month for unlimited calls.
General toolbox to solve complex deployment issues.
Ingate supports Regular Expressions, a text string for describing a search pattern or matching strings, to set up rules for complex scenarios with several options and features involved..
2 All references to “Ingate” refers to both Ingate Firewall and Ingate SIParator, most function mentioned requires the Ingate Advanced SIP Routing software module to be installed in any Ingate device. Some of these features could be utilized in the Cisco Call Manager instead; each individual customer case will decide where each feature is best implemented.
4
Connecting branch offices with CCM 4.x or 5.x The first thought when it comes to connecting branch offices with the head quarters may be to use existing VPN connections. But this is just an interim solution and in many ways even a bad solution. Within the next few years a persons SIP-address will be just as common as an e-mail address is today. The emerging use of collaboration over SIP (not just voice but also IM, Application sharing etc) will drive the need for global connectivity for the SIP sessions. To set-up a VPN connection to anyone you want to communicate with is not a feasible option.
Connecting branch offices without Ingate The use of VPN creates an isolated VoIP island. Often the VPN is not fully meshed with VPN connections from every site to every site. It is quite common that each VPN tunnel ends up at the headquarters as shown in Figure 4 below.
Figure 5 This configuration not only prevents connectivity to customer and partners but it also makes the headquarter site overloaded with all the calls. If a person at branch office A wants to call a person at branch office B the media has to travel all the way from A to the headquarters and then back to B. A call in this setup will waste bandwidth and add unnecessary load on the headquarters’ infrastructure. It may also have an impact on added delays in the Internet infrastructure resulting in lower voice quality.
5
Connecting branch offices with Ingate The only way to have the media taking the shortest route between A and B is to have a fully SIP capable Firewall or SIParators at the enterprise edge.
Figure 6 In this solution you will not only have an optimal flow of the calls in the enterprise, but also the ability to connect to Service Providers and external parties like customers and vendors is inherent in this architecture. With CCM 4.x the offices can be connected via SIP trunks CCM server to CCM server. This is an option also for CCM 5.x, but the inherent SIP client support in this version also gives the ability to connect clients at the branch office directly into the Headquarters CCM server. In this hosted CCM scenario Ingate can provide Remote Survivability for the branch office. If the connection to the hosted CCM at the headquarters fails, Ingate can take over and route the calls locally or to a backup PSTN Gateway. The media can be encrypted with SRTP (Sdescriptions) between the different Ingate devices, over the Internet, without the need for SRTP support at the clients or CCM.
6
Connect Remote Users to CCM 5.x Please note that this section is only valid for Cisco Call Manager 5.x as the CCM 4.x do not have support for SIP clients. However, Ingate can add connectivity for basic calls also for remote users in a CCM 4.x environment, please see “Connect Remote users for basic call to CCM 4.x”. The business professionals of today are some of the earliest adopters of convergence technology; most, in fact, find themselves connected to the Internet around the clock, whether they are working from their homes or any other place in the world. Wouldn’t it be ideal to take the last part of the office – the fixed phone - with them wherever they were? Enable them to be in the office without really being in the office. This is a reality with the new Cisco Call Manager 5.0 because of the inherent support for SIP clients including soft clients in Laptops or dual Mobile/WiFi phones.
Connect Remote Users without Ingate Also in this case the first thought may be to use VPN tunnels. The concept of using VPN in this scenario to traverse the SIP traffic from the client across the firewall to the CCM 5.0 in the LAN is of course an option. However, the limitations with the VPN solution are even more severe in this case:
• Isolated VoIP island, do not allow calls from any external parties over IP. • Works where you have control over the infrastructure, in home offices etc • Does not always work from Hotels etc (in our experience ~50% of the cases) • WiFi phones and dual Mobile/WiFi phones normally do not have VPN clients. • Do you really want to start a VPN client just to receive a call? • QoS can be taken out of play in some VPN implementations were the headers are
encrypted.
Many enterprises have started to re-consider their VPN (IPSec) strategy for remote users because of the cost of maintaining and supporting the individual users. A VPN tunnel is an open freeway from the client device into the parts of the enterprise network that you want to access. The irony is that the VPN that was supposed to ensure security now can be a threat if the client device is compromised by malicious code (Trojans, Spyware etc). This is why the use of SSL “client-server” based encryption e.g MS Outlook to Exchange has grown in popularity as an alternative to VPN for remote users.
7
Connect Remote Users with Ingate Ingate’s Remote SIP Connectivity (RSC) software module allows displaced users to traverse most SIP-unaware residential firewalls and NAT devices and use SIP communications through the Ingate product installed at the enterprise edge. The solution works for most common remote NATs, even symmetric ones, and for remote residential firewalls not being too tight (e.g. having critical ports closed from the inside of the remote LAN). With RSC installed in the Ingate Firewall or SIParator the enterprise can offer the remote user to leverage all the functionality in the CCM 5.0 as if they were in the office. This is all transparent. No additional configuration or software is required at the client side.
Remote SIPConnectivityRemote SIPConnectivity
Figure 7 Ingate Remote SIP Connectivity supports scenarios like these:
• Traveling users at hotels • Traveling users using visitors network at customers. • From the broadband connection in the home. • From wireless hotspots. • Small branch offices and home offices with less tight firewall policies.
Ingate Remote SIP Connectivity gives the following benefits:
• Transparency Access to all the functions in CCM 5.x from any Internet connection. No need for additional configuration or software at the client.
8
• Significant cost savings on the mobile phone bill for home workers and road warriors Answer your business phone from any Internet connection. Make calls from any Internet connection.
• Cost savings for the home worker No need for a separate business line in the home office. No need to make expense reports for use of the private phone.
How does it work? Please note that RSC will not work if the remote user sits behind a tight enterprise firewall. If the clients have support for the STUN standard, Remote SIP Connectivity utilizes the built in Ingate STUN server. Otherwise RSC utilize the fact that most firewall/NAT devices on those semi-public places have less tight firewall policies if any at all. In this case RSC does the Far-End-NAT traversal (FENT) by sending return media to the same media port in the remote firewall/NAT that was first used for the communication. The FENT function aids remote SIP clients by transforming any SIP message by re-writing relevant information and relay media to the Ingate device, as well as keeping the remote client reachable.
Connect Remote users for basic call to CCM 4.x Cisco Call Manager 4.x does not have support for SIP clients. But with Ingate’s built in SIP registrar and advanced SIP routing features remote users traveling or from a home office can be connected to CCM 4.x as if they were in the office. This solution is limited to support basic calls only since the remote user registers at Ingate SIParator free-standing from the CCM 4.x environment. Then Ingate’s advanced SIP routing capabilities is used to fork incoming calls from the SIP trunk both to the CCM 4.x and to the registered SIP clients simultaneously see Fig. 8 below. Outgoing calls from the SIP clients will be routed to CCM 4.x which in turn routs the call to the internal Skinny client or to the SIP trunk for external calls.
Remote SIPConnectivityRemote SIPConnectivity
Figure 8
9
All scenarios described for CCM 5.x (Fig.7) will work, but only for basic calls without the different CCM features. This can be very useful to extend the business phone reach to road-warriors and home users, to get better availability for customer and colleagues. In addition significant cost savings will come from reduced mobile phone bills.
10
