TANDBERG User Manual
Contents
1. Determines whether or not the Border Controller will allow firewall traversal using TANDBERG s proprietary Assent protocol Defaults to On xconfiguration Traversal H46018Enabled lt On Off gt Determines whether or not the Border Controller will allow firewall traversal using the ITU H 460 18 19 protocols Defaults to On xconfiguration Traversal Preference lt Assent H46018 gt Determines which of the two protocols to use when given a choice Defaults to Assent xconfiguration Traversal H46019Demultiplexing lt On Off gt H 460 19 optionally allows all media to be sent to the same ports on the and demultiplexed there This switch controls that option 14 2 22 Zones Traversal zones control how the Border Controller communicates with a Gatekeeper which it is cooperating with to provide firewall traversal xconfiguration Zones TraversalZone 1 50 Name lt name gt Sets the name of the TANDBERG Gatekeeper which is allowed to connect to this Border Controller xconfiguration Zones TraversalZone 1 100 HopCount lt count gt Specifies the hop count to be used when originating an LRQ xconfiguration Zones TraversalZone 1 100 Match 1 5 Mode lt AlwaysMatch PatternMatch Dis The prefix match mode determines when an LRQ will be sent to gatekeepers in the zone If the mode is set to AlwaysMatch the zone will always be queried If the mode is set to PatternMatch the zone will only be queried if the alias queried for match2. lt proxy gt lt location gt lt address gt lt otherwise gt lt proxy gt lt otherwise gt lt address switch gt lt incoming gt lt cpl gt 45 TANDBERG Border Controller User Manual 12 Logging The Border Controller provides logging for troubleshooting and auditing purposes The event log may be viewed from the command line by using the eventlog command specifying the number of lines to display Alternatively the web page System Status Event Log may be used 12 1 Controlling what is logged You can control the verbosity with which the Border Controller logs information All events have an associated level in the range 1 3 Level 1 refers to high level events such as registration requests and call attempts Level 2 events are recorded for incoming and outgoing message H 323 LDAP etc excluding noisy messages such as H 460 18 keep alives and H 245 video fast updates Level 3 events include some of these noisy events By default logging is set to level 1 12 2 Event log format The event log is displayed in an extension of the UNIX syslog format date time host name facility name lt PID gt message details date and time represent the local time at which the message was logged host_name is the name of the system generating the log message facility the name of the program generating the log message will be tandberg for all messages originating from TANDBERG processes but will differ for m
3. Event Description Eventlog Cleared Admin Session Start Admin Session Finish System Configuration Changed Policy Change Registration Requested Registration Accepted Registration Rejected An operator cleared the event log An administrator has logged onto the system An administrator has logged off the system An item of configuration on the system has changed The detail event parameter contains the name of the changed configuration item and its new value A policy file has been updated A registration has been requested A registration request has been accepted A registration request has been rejected The Reason event parameter contains the H225 cause code Optionally the Detail event pa rameter may contain a textual representation of the H 225 additional cause code 47 TANDBERG Border Controller User Manual Table 2 Level 1 Events continued Event Description Registration Removed A registration has been removed by the gate keeper border controller The Reason event parameter specifies the reason why the regis tration was removed This is one of Authentication change e Conflicting zones e Operator forced removal e Operator forced removal all registra tions removed Call Answer Attempted An attempt to answer a call has been made Call Attempted A call has been attempted Call Connected A call has been connected Call Disconnected A call has been disconnected Call Rejected A call has bee
4. 28 59 H 323 Annex O 32 ID 12 URI 12 H 350 28 see also LDAP H 460 18 19 9 17 18 46 68 hop count 68 69 http s 6 61 62 upgrade using 52 53 IP address 5 69 dialing 13 21 36 60 initial configuration 5 port 69 v4 8 62 v6 8 62 IP address default 5 71 LDAP 27 29 56 59 63 over TLS 29 82 84 schema 81 servers 81 84 90 Idif 81 83 license 77 link 19 20 25 default 71 LocalPrefix 61 Location Request 89 logging event levels 47 lookup 34 LRQ 60 monitor alternate 59 NAPTR record 33 34 neighbor 33 neighbor gatekeeper 9 11 21 37 38 60 61 NTP 64 OpenLDAP see LDAP servers option key 64 password 5 7 67 default 5 7 recovery 7 pattern 74 pipe 20 21 24 64 prefix 10 RAS 12 89 registration restriction policy 26 70 time to live 61 release key 52 relkey 77 RestrictionPolicy 61 RFC 2782 31 RFC 2915 33 RFC 3164 51 RFC 3761 33 scp 65 upgrade using 53 54 serial cable 4 5 serial interface 7 serial port 2 5 7 SNMP 65 SRV record 34 ssh 5 7 65 67 subzone 19 20 23 65 66 TANDBERG Border Controller User Manual default 19 25 65 traversal 23 25 66 suffix 10 syslog 77 system name 31 32 TANDBERG Management Suite see TMS telnet 5 7 67 TLS 82 TMS 1 6 52 59 65 traversal call 89 unregistered endpoint 13 15 upgrade 52 54 URI dialing 9 10 hyperpage30 30 32 35 37
5. e TANDBERG s Research and Development is continuously improving TANDBERG s prod ucts towards less use of environmentally hazardous components and substances as well as to make the products easier to recycle TANDBERG s products are Communication Solutions The idea of these solutions is to reduce the need for expensive time demanding and polluting transport of people Through people s use of TANDBERG s products the environment will benefit from less use of polluting transport TANDBERG s wide use of the concepts of outsourcing makes the company itself a company with a low rate of emissions and effects on the environment TANDBERG s policy is to make sure our partners produce our products with minimal influence on the environment and to demand and audit their compatibility according to applicable agreements and laws national and international Environmental Considerations Like other electronic equipment the TANDBERG Border Controller contains components that may have a detrimental effect on the environment TANDBERG works continuously towards eliminating these substances in our products e Printed wiring boards made of plastic with flame retardants like Chloride or Bromide e Component soldering that contains lead e Smaller components containing substances with possible environmental effect After the product s end of life cycle it should be returned to authorized waste handling and should be treated according to Nationa
6. the destination using the DNS system if it cannot be found otherwise First the Border Controller will query for a Location SRV record to discover the authoritative Gatekeeper for the destination DNS zone If is not located the Border Controller will query for a Call SRV record and try to place the call to that address If no appropriate SRV record can be located the Border Controller will fall back to looking for an A or AAAA record for the domain If a record is found a call will be placed to that address If you intend to use URI dialing you should provide at least a Location SRV record it provides the most flexibility and the simplest configuration Call SRV records and A AAAA records are intended primarily for use by endpoints which cannot participate in a location transaction exchanging LRQ and LCF Configuration of a system for a company with the domain name example com might typically be e Arecord for box example com returns the IP address of the box e SRV record for h3231s udp example com returns box example com e SRV record for h323cs _tcp example com returns box example com e System name set to box example com e LocalDomain DomainName Set to example com How you add the DNS records depends on the type of DNS server you are using Instructions for setting up two common DNS servers are given in Appendix A 32 TANDBERG Border Controller User Manual 8 ENUM dialing ENUM provides another DNS based dialing scheme Users d
7. Directory is installed For details on installing Active Directory please consult your Windows documentation The following instructions are for Windows Server 2003 Enterprise Edition if you are not using this version of Windows your instructions may vary The following ITU specifications describe the schemas which are required to be installed on the Active Directory server H 350 Directory services architecture for multimedia conferencing An LDAP schema to repre sent endpoints on the network H 350 1 Directory services architecture for H 323 An LDAP schema to represent H 323 end points H 350 2 Directory services architecture for H 235 An LDAP schema to represent H 235 ele ments The schemas can be downloaded in Idif format from the web interface on the Border Controller To do this navigate to the Border Controller Configuration Files page and click on the links for the schemas Copy the downloaded schemas to the Active Directory server Open a command prompt and for each file execute the following command ldifde i c DC X lt ldap_base gt f filename ldf Where lt 1dap base is the base DN for your Active Directory server B 1 2 Adding H 350 objects Create the organizational hierarchy Open up the Active Directory Users and Computers MMC snap in Under your base DN right click and select New Organizational Unit Create an Organizational unit called h350 NOTE It is good practice to keep the H 350 directory
8. ENUM lookup and SRV for the corresponding H 323 URI lookup are present ENUM dialing should be possible To verify your configuration you are recommended to use the lookup command to ensure that E 164 numbers can be resolved 34 TANDBERG Border Controller User Manual 9 Example Traversal deployments 9 1 Simple Enterprise deployment Enterprise Border Controller pe m e Gar _ Ver MCU Gatekeeper Figure 20 Simple enterprise deployment Figure 20 shows a typical enterprise deployment Endpoints 1001 1002 and a Gatekeeper are deployed on a private network separated from the public network by a firewall and NAT Endpoint 1003 is on a separate private network perhaps a home worker on an DSL connection A Border Controller is deployed on the public network to allow traversal across the firewalls Endpoints 1001 1002 may be any H 323 compliant endpoint They will use the TANDBERG Gatekeeper to provide firewall traversal Endpoint 1003 must be a TANDBERG endpoint which provides firewall traversal Endpoints 1001 1002 should register with the Gatekeeper Endpoint 1003 will register with the Border Controller Gatekeeper and Border Controller are configured to work together to provide firewall traversal See section 4 3 for details If you wish to be able to call using URI dialing in this deployment then the following configuration is required e Enter the address of your DNS server on the Border Controller
9. Each link is then assigned two pipes representing the Internet connections of the offices at each end of the link A call placed between the Home Office and Branch Office will consume bandwidth in the home and branch subzones and on the home and branch pipe The enterprise s bandwidth budget will be unaffected by the call If we now modify our deployment to include firewalls between the offices we can use the firewall traversal capability of the TANDBERG Gatekeeper and Border Controller to maintain connectivity In Figure 13 the endpoints in the enterprise register with the Gatekeeper whilst those in the branch and home office register with the Border Controller 23 TANDBERG Border Controller User Manual Enterprise Border ey MCU a ay Figure 13 Network Deployment with firewalls Enterprise Home Pipe Pipe Home Office Border Controller Traversal sub zone Home sub zone Cc Branch Branch Office Traversal Zone Branch sub zone Figure 14 Border Controller example configuration Figure 14 shows how the Border Controller could be configured for the deployment in Figure 13 The introduction of the firewalls means that there is no longer any direct connectivity between the Branch and Home offices All traffic must be routed through the Border Controller This is shown by the absence of a link between the Home and Branch subzones The Traversal Zone in Figure 14 represents the Enterp
10. History use xfeedback Register History xfeedback Register Event lt CallAttempt Connected Disconnected ConnectionFailure Registration Unregistration Bandwidth ResourceUsage gt Registers for feedback on the occurrence of the chosen Event e g xfeedback Register Event CallAttempt To register for all available Events use xfeedback Register Event Registering for the ResourceUsage event will return the entire ResourceUsage structure every time one of the ResourceUsage fields changes ResourceUsage fields consist of Registrations MaxRegistrations TraversalCalls MaxTraversalCalls TotalTraversalCalls 76 TANDBERG Border Controller User Manual 14 6 Other commands 14 6 1 About about About provides information about the software version installed on the system 14 6 2 Clear clear eventlog history Clears the event log or history of all calls and registrations 14 6 3 Eventlog eventlog eventlog n all Displays the eventlog containing information about past events which may be useful for diagnostic purposes n The number of lines from end of event log to dump all Dumps the whole event log 14 6 4 License license Provides access to the license terms of third party software incorporated in the product 14 6 5 Relkey relkey Displays the release key that this software has been installed with 14 6 6 Syslog syslog lt level gt ipaddr ipaddr Enables tracing to the console level Sp
11. Receiving a call using URI dialing o 0 000000004 30 7 3 DNS Records anaana aaa kran 31 8 ENUM dialing 33 8 1 Configuring ENUM LL aar vaar knr ee 33 8 2 Configuring DNS NAPTR Records 0000002 e eee 33 9 Example Traversal deployments 35 9 1 Simple Enterprise deployment 0 20000 eee eee ee 35 9 2 Enterprise Gatekeepers 0000 eee ee 36 9 3 Dialing Public IP addresses o o e eee ee 36 9 4 Neighbored enterprises 0 vrak 37 viii 9 5 URI dialing from within the enterprise 10 Third Party Call Control 10 1 Placing a call 10 2 Transferringacall 10 3 Disconnecting a call 11 Call Policy 11 1 Making Decisions Based on Addresses 11 2 CPL Script Actions 11 3 Unsupported CPL Elements 11 4 CPL Examples 12 Logging 12 1 Controlling what is logged 12 2 Event log format 12 3 Event Levels 12 4 Logged Events 12 5 Remote Logging 13 Software Upgrade 13 1 Upgrading Using HTTP S 13 2 Upgrading Using SCP 14 Command Reference 14 1 Status 14 2 Configuration 14 3 Command 14 4 History slats Ld desse esse Re da le i 44 GAS 4 aaret a artana te a Cas ds Ae Grenaa ce es cas 14 6 Othercommands 0 0 00 000000 kran A Appendix Configuring DNS Ser
12. Requests in order to prevent delays during call setup xconfiguration Gatekeeper Alternates Alternate 1 5 Address lt IPAddr gt Set the IP address of an alternate Border Controller Up to 5 alternates may be configured When the Border Controller receives a Location Request all alternates will also be queried xconfiguration Gatekeeper Alternates Alternate 1 5 Port lt IPAddr gt Set the IP port of an alternate Border Controller The default is 1719 xconfiguration Gatekeeper AutoDiscovery lt On Off gt xconfiguration Gatekeeper CallRouted lt Qn Off gt Specifies whether the Border Con troller should operate in call routed mode Defaults to off Specifies whether or not the Border Controller responds to gatekeeper discovery requests from endpoints The default is On xconfiguration Gatekeeper CallsToUnknownIPAddresses lt Off Direct Indirect gt Specifies whether or not the Border Controller will attempt to call systems which are not registered with it or one of its neighbor gatekeepers It has three settings Direct this setting will allow the endpoint to make the call to the unknown IP address without querying any neighbors The call setup would occur just as it would if the far end were registered directly to the local system Indirect upon receiving the call the Border Controller will query its neighbors for the remote address relying on the response from the neighbor to allow the ability for the call to be complete
13. alias for unregistered caller destination Allow forwarding of location requests Allow DNS resolution Time to live seconds Call time to live seconds CPL policy Downspeeding Allow downs peeding at total bandwidth limit Allow downs peeding at per call bandwidth limit Local domain Domain name ENUM Allow ENUM resolution DNS Suffix 1 164 arpa DNS Suffix 2 md DNS Suffix 3 5 DNS Suffix 4 U DNS Suffix 5 Alternate Gatekeepers F Gatekeeper 1 IP address box2 example com Pnp w Gatekeeper 2 IP address 10 10 044 Port 1719 8 Gatekeeper 3 IP address p000 Port 1719 D Gatekeeper 4 IP address 0 0 0 Port izo 8 ter 5 IP address 0 0 0 Port 17198 Monitor Alternates FP 2 cc De Figure 5 Alternate Border Controller configuration When a Border Controller receives a Location Request if it cannot respond from its own registration database it will query all of its Alternates before responding This allows the pool of registrations to be treated as if they were registered with a single Border Controller The Alternate Border Controllers can be configured within the web interface of the Border Controller by navigating to Border Controller Configuration Gatekeeper Please see Figure 5 for a screenshot of a sample configuration 3 7 Call signaling When an endpoint wants to call another endpoint it presents the address it wants to call to the Border Controller using a protocol knows as RAS The Bord
14. and the status of each gatekeeper in the zone 14 2 Configuration The configuration root command xconfiguration is used to set configuration settings To list all xconfiguration commands type xconfiguration To list all configuration data type xconfiguration To show a specific configuration value type xconfiguration name To show usage information for a specific configuration value type xconfiguration name To set a configuration element type xconfiguration name paraml valuel param2 value NOTE Remember to use the colon after naming the parameters 14 2 1 Authentication Configuration parameters relating to how an endpoint authenticates itself with the Border Con troller 58 TANDBERG Border Controller User Manual xconfiguration Authentication Credential 1 1000 Name lt username gt Specifies the username of a credential in the local authentication database xconfiguration Authentication Credential 1 1000 Password lt password gt Specifies the password of a credential in the local authentication database xconfiguration Authentication Database lt LocalDatabase LDAPDatabase gt Select between a local database and a remote LDAP repository for the storage of password information for authentication The default is LocalDatabase xconfiguration Authentication LDAP BaseDN lt S 0 255 gt The Distinguished Name to use when connecting to an LDAP server The default is an empty string xconfiguratio
15. authentication helping to guard against replay attacks 14 2 11 Option Key xConfiguration Option 1 64 Key lt optionkey gt Specify the option key of your software options xstatus system software configuration can be used to discover the existing options You must restart the system for changes to take effect 14 2 12 Pipes xconfiguration Pipes Pipe 1 100 Bandwidth Total Limit lt 1 100000000 gt Bandwidth associated with a pipe keyed by index xconfiguration Pipes Pipe 1 100 Bandwidth Total Mode lt None Limited Unlimited gt Whether or not a given pipe is enforcing total bandwidth restrictions None corresponds to no bandwidth available xconfiguration Pipes Pipe 1 100 Bandwidth PerCall Limit lt 1 100000000 gt Per call bandwidth of a pipe xconfiguration Pipes Pipe 1 100 Bandwidth PerCall Mode lt None Limited Unlimited gt Whether or not a given pipe is enforcing per call bandwidth restrictions None corresponds to no bandwidth available xconfiguration Pipes Pipe 1 100 Name lt pipename gt Name for a pipe 14 2 13 Services xConfiguration Services CallTransfer Mode lt 0n 0ff gt Controls whether or not third party call transfer is enabled The Border Controller must also be operating in call routed mode 64 TANDBERG Border Controller User Manual 14 2 14 Session xconfiguration Session TimeOut lt 0 65534 gt Controls how long an adminstration session HTTPS Telnet or SSH
16. by using either the H 323 ID a URI an E 164 alias or one of the services It is recommended that you do not use aliases that reveal sensitive information Due to the nature of H 323 call setup information is exchanged in an unencrypted form TANDBERG Border Controller User Manual Overview amp System Status Y System Configuration Border Controller Configuration IP SNMP Misc Upgrade IP Configuration Configuration IP Ethernet Speed Auto vi IP Protocol ivs gt IP Address 194 70 154 234 IP Subnet Mask 255 255 255 248 IP Gateway 9470 154 233 gt IPV6 Address 7 IPV6 Gateway 7 For the settings to take effect the system must be restarted after pressing Save DNS Address 1 158 152 1 58 Address 2 158 152 1 58 m Address 3 158 152 1 58 5 Address 4 158 152 1 58 g Address 5 158 152 1 58 8 Domain Date and Time Settings go P uk poolnt te NTP Server uk pool ntp org Q S Server Status Active 83 67 64 230 123 ge Timezone GMT El O e 2 3 save _ 8 Restart ca I Figure 3 Selecting IP Protocol By default if you attempt to register an alias which has already been registered with the system your registration will be rejected This helps you to identify when two users have a conflicting alias In some deployments an endpoint may frequently receive a new IP address causing unwanted registration rejections When it tries to register it may be rejected because the Border Controlle
17. have been used to locate the Border Controller Depending on which was used the received URI could be in one of three forms e user 10 0 0 1 e user srv record domain name e user a record domain name Each of these should be able to discover an endpoint registered as either user or user a record domain name On receipt of the URI the Border Controller will modify the URI by removing the and host if the host matches e The IPv4 or IPv6 address of the Border Controller e The system name of the system The Border Controller will then search for registrations which match either the modified URI or the modified URI with the LocalDomain DomainName appended 7 3 DNS Records URI dialing relies on the presence of records in the DNS information for the zone For preference SRV records should be used These specify the location of a server for a particular protocol and domain Their format is defined by an Internet standard 3 as 31 TANDBERG Border Controller User Manual Service Proto Name TTL Class SRV Priority Weight Port Target The Border Controller supports two types of service record as defined by H 323 Annex O These are Location and Call with Service set to h3231s and h323cs respectively In our case Service is defined by the H 323 protocol suite to be h3231s and Proto is _udp Name corresponds to the host part of the H 323 URI When the Border Controller receives a request to call fred example com it will attempt to locate
18. however the Border Controller allows it on any type of field subdomain of string If the selected field is numeric e g the tel sub field then this matches as a prefix so lt address subdomain of 555 gt matches 5556734 etc If the field is not numeric then normal do main name matching is applied so lt address subdomain of company com gt matches nodeA company com etc otherwise The otherwise node will be executed if the address specified in the address switch was found but none of the preceding address nodes matched not present 42 TANDBERG Border Controller User Manual The not present node is executed when the address specified in the address switch was not present in the call setup message This form is most useful when authentication is being used With authentication enabled the Border Controller will only use authenticated aliases when running policy so the not present action can be used to take appropriate action when a call is received from an unauthenticated user see example in section 11 4 11 2 CPL Script Actions 11 21 location As the CPL script runs it maintains a list of addresses H 323 IDs URLs and E 164 numbers which will be used as the destination of the call if a proxy node is executed The location node allows the location set to be modified so that calls can be redirected to different destinations At the start of script execution the location set is initialized to empty for incoming calls a
19. in its own organizational unit to separate out H 350 objects from other types of objects This allows access controls to be setup which only allow the Border Controller read access to the BaseDN and therefore limit access to other sections of the directory Add the H 350 objects Create an Idif file with the following contents MeetingRoomi endpoint dn commUniqueId commi ou h350 dc my domain dc com objectClass commObject 81 TANDBERG Border Controller User Manual objectClass h323Identity objectClass h235Identity commUniqueld commi h323Identityh323 ID MeetingRoomli h323IdentitydialedDigits 626262 h235IdentityEndpointID meetingroomi h235IdentityPassword mypassword Add the ldif file to the server using the command ldifde i c DC X lt ldap base gt f filename ldf This will add a single H 323 endpoint with an H 323 ld alias of MeetingRoom1 and an E 164 alias of 626262 The entry also has H 235 credentials of id meetingroom1 and password mypassword which are used during authentication B 1 3 Securing with TLS To enable Active Directory to use TLS you must request and install a certificate on the Active Directory server The certificate must meet the following requirements Be located in the Local Computer s Personal certificate store This can be seen using the Certificates MMC snap in Have the private details on how to obtain a key associated for use with it stored locally When viewing the certificate you should
20. line has been disconnected at the network interface e Use caution when installing or modifying communication lines e Avoid using communication equipment other than a cordless type during an electrical storm e There may be a remote risk of electrical shock from lightning e Do not use communication equipment to report a gas leak in the vicinity of the leak e The socket outlet shall be installed near to the equipment and shall be easily accessible e Never install cables without first switching the power OFF e This product complies with directives LVD 73 23 EC and EMC 89 366 EEC e Power must be switched off before power supplies can be removed from or installed into the unit 2 2 Unpacking The TANDBERG Border Controller is delivered in a special shipping box which should contain the following components Border Controller unit Installation sheet User manual and other documentation on CD Rack ears and screws Kit with 4 rubber feet Cables Power cables One Ethernet cable One null modem RS 232 cable TANDBERG Border Controller User Manual 2 2 1 Installation site preparations e Make sure that the Border Controller is accessible and that all cables can be easily connected For ventilation Leave a space of at least 10cm 4 inches behind the Border Controller s rear and 5cm 2 inches on the sides e The room in which you install the Border Controller should have an ambient temperature between 0 C and 35 C 32 F
21. may be inactive before the session is timed out A value of 0 turns session time outs off The default is 0 You must restart the system for changes to take effect 14 2 15 SNMP xconfiguration SNMP CommunityName lt name gt SNMP Community names are used to authenticate SNMP requests SNMP requests must have this password in order to receive a response from the SNMP agent in the Gatekeeper You must restart the system for changes to take effect xconfiguration SNMP Mode lt On Off gt Turn on off SNMP support You must restart the system for changes to take effect xconfiguration SNMP SystemContact lt name gt Used to identify the system contact via SNMP tools such as TANDBERG Management Suite or HPOpenView You must restart the system for changes to take effect xconfiguration SNMP SystemLocation lt name gt Used to identify the system location via SNMP tools such as TANDBERG Management Suite or HPOpenView You must restart the system for changes to take effect 14 2 16 SSH xconfiguration SSH Mode lt Qn Off gt Enables disables SSH and SCP support You must restart the system for changes to take effect 14 2 17 Subzones xconfiguration SubZones DefaultSubZone Bandwidth PerCall Limit lt 1 100000000 gt Per call bandwidth of the default subzone xconfiguration SubZones DefaultSubZone Bandwidth PerCall Mode lt None Limited Unlimited gt Whether or not the default subzone is enforcing total bandwidth restrict
22. neighboring Border Controllers and Gatekeepers Can limit total bandwidth usage and set maximum per call bandwidth usage with automatic down speeding if call exceeds per call maximum Can be managed with TANDBERG Management Suite 11 0 or newer or as a standalone system with RS 232 Telnet SSH HTTP and HTTPS Embedded setup wizard on serial port for initial configuration Note that features may vary depending on software package TANDBERG Border Controller User Manual 1 1 TANDBERG Border Controller Overview On the front of the Border Controller there are three LAN interfaces a serial port Data 1 and an LED showing the power status of the system The LAN 1 interface is used for connecting the system to your network LAN interface 2 and 3 are disabled The serial port Data 1 is for connection to a PC and power on is indicated by the Light Emitting Diode Power being lit Figure 1 Front panel of Border Controller The back of the Border Controller has a power connector a power switch and a serial port Data 2 for connecting to a PC Figure 2 Rear panel of Border Controller TANDBERG Border Controller User Manual 2 Installation 2 1 Precautions e Never install communication equipment during a lightning storm e Never install jacks for communication cables in wet locations unless the jack is specifically designed for wet locations e Never touch uninstalled communication wires or terminals unless the communication
23. of systems grows It is also inconvenient for making one off calls to endpoints registered with previously unknown systems Using URI dialing you call using an H 323 URI which looks like an email address The destination Gatekeeper is found from the domain name the part after the in the same way that an email server is found The decision as to whether or not to use URI dialing is governed by the current state of xConfiguration Gatekeeper DNSResolution Mode lt On 0ff gt or using the web interface on the Border Controller Configuration Gatekeeper page You will also need to configure a DNS server for the systems to query This is set using xConfiguration IP DNS Server 1 Address lt address gt or using the web interface on the System Configuration IP page see Figure 18 for the IP Configuration screen If you want others to be able to reach you using URI dialing add a record to your DNS information as described in Appendix A Endpoints will typically register with the Border Controller without their domain name The Border Controller needs to match a request for fred example com to a registration for fred To do this it must be configured with the name of the domain in which its endpoints belong This is set using xConfiguration Gatekeeper LocalDomain DomainName lt name gt If URI dialing is being used in conjunction with firewall traversal DNSResolution Mode should only be enabled on the Border Controller and on
24. see a message saying You have a private key that corresponds to this certificate Have a private key that does not have strong private key protection enabled This is an attribute that can be added to a key request The Enhanced Key Usage extension includes the Server Authentication object identifier again this forms part of the key request Issued by a CA that both the domain controller and the client trust Include the Active Directory fully qualified domain name of the domain controller in the common name in the subject field and or the DNS entry in the subject alternative name extension B 2 OpenLDAP B 2 1 Prerequisites These instructions assume that an OpenLDAP server has already been installed For details on installing OpenLDAP see the documentation at http www openldap org The following examples use a standard OpenLDAP installation on the Linux platform For installations on other platforms the location of the OpenLDAP configuration files may be different See the OpenLDAP installation documentation for details 82 TANDBERG Border Controller User Manual B 2 2 Installing the H 350 schemas The following ITU specification describes the schemas which are required to be installed on the LDAP server H 350 Directory services architecture for multimedia conferencing An LDAP schema to repre sent endpoints on the network H 350 1 Directory services architecture for H 323 An LDAP schema to represent H 323 end p
25. that it is still functioning Specified in seconds The default is 1800 seconds xconfiguration Gatekeeper Unregistered Caller Mode lt on off gt Specifies whether calls may be made by an unregistered endpoint Defaults to off xconfiguration Gatekeeper Unregistered Caller Fallback lt alias gt If the Border Controller receives a call setup containing no alias information place the call to this alias 14 25 HTTP HTTPS Command under the HTTP and HTTPS nodes control web access to the Border Controller xConfiguration HTTP Mode lt On 0ff gt Enables disables HTTP support You must restart the system for changes to take effect The default is On 61 TANDBERG Border Controller User Manual xconfiguration HTTPS Mode lt On Off gt Enables disables HTTPS support You must restart the system for changes to take effect The default is On If web access is required you are recommended to enable HTTPS and disable HTTP for improved security 14 2 6 IP Configuration of IP related parameters The TANDBERG Border Controller may be configured to use either IPv4 or IPv6 When entering IPv4 addresses dotted quad notation is used 127 0 0 1 when using IPv6 addresses are entered in colon hexadecimal form 2001 db8 2AA FF FE9A 4CA2 xConfiguration IPProtocol lt Both IPv4 IPv6 gt Selects whether the Border Controller is operating in IPv4 IPv6 or dual stack mode xconfiguration IP Address lt IPAddr gt The IPv4 address of the sys
26. values Level 1 will reset most parameters There are currently no level 2 parameters so setting that level has the same effect as setting level 1 Level 3 resets all level 1 and 2 parameters as well as the following e IP address subnet mask gateway and interface speed The default IP address is 192 168 0 100 e COM port baud rate speed data bits parity stop bits e SNMP community name and host address e system name e password e option key e release key Note that DefaltValuesSet will not add the links with which the system ships from the factory Use the DefaultLinksAdd command to do that Certificates and policy files are not removed 14 3 10 DenyListAdd xCommand DenyListAdd lt denied_alias gt Add an entry to the deny list This is used by the registration restriction policy 71 TANDBERG Border Controller User Manual 14 3 11 DenyListDelete xCommand DenyListDelete lt index gt Removes the pattern from the deny list at the specified index 14 3 12 Dial xCommand Dial callSrc lt src gt callDst lt dst gt Bandwidth lt bandwidth gt Places call halves out to src and dst joining them together 14 3 13 DisconnectCall xCommand DisconnectCall lt callid gt Disconnects the specified call 14 3 14 FeedbackRegister xCommand FeedbackRegister lt ID gt lt URL gt lt Expression gt Registers for notifications on the event or status change described by the Expression Notifica tions are sent in X
27. 60 62 h323cs 15 32 h323Is 32 xCommand AllowListAdd 70 AllowListDelete 70 Boot 70 CallTransfer 39 70 CheckBandwidth 70 CredentialAdd 71 CredentialDelete 71 DefaultLinksAdd 71 DefaultValuesSet 71 DenyListAdd 71 DenyListDelete 72 Dial 39 72 DisconnectCall 72 FeedbackDeregister 72 FeedbackRegister 72 FindRegistration 73 LinkAdd 73 LinkDelete 73 Locate 73 OptionKeyAdd 73 OptionKeyDelete 73 PipeAdd 73 PipeDelete 74 RemoveRegistration 74 SubZoneAdd 74 SubZoneDelete 74 TraversalZoneAdd 74 TraversalZoneDelete 75 ZoneAdd 10 75 ZoneDelete 75 91 TANDBERG Border Controller User Manual xConfiguration 92 Authentication 28 Credential 58 59 Database 59 LDAP 59 Mode 59 Ethernet Speed 59 ExternalManager Address 59 Path 59 Gatekeeper Alternates 59 60 AutoDiscovery 60 CallRouted 60 CallsToUnknownIPAddresses 13 60 CallTimeToLive 60 DNSResolution 60 Downspeed 60 ForwardLocationRequests 60 LocalDomain 61 LocalPrefix 61 Policy 61 Registration 61 TimeToLive 61 Unregistered 61 HTTPS Mode 61 IP 6 Address 62 DNS 62 Gateway 62 SubnetMask 62 V6 62 LDAP Encryption 63 Password 63 Server 63 UserDN 63 Links Link 63 LocalDomain DomainName 31 32 NTP Address 64 Pipes Pipe 64 Services CallTransfer 39 Session TimeOut 65 SNMP CommunityName 65 Mode 65 SystemContact 65 SystemLocation 65 SSH Mode 65 S
28. Applicable events Protocol Specifies which protocol was used for the communication Valid values are TCP or UDP Call Attempted Call Bandwidth Changed Call Connected Call Disconnected Call Rejected External Server Communi cation Failure Incoming Message Outgoing Message Policy Change Registration Accepted Registration Rejected Registration Removed Registration Requested Reason Textual string containing any rea son information associated with e Call Rejected an event e External Server Communi cation Failure e Registration Rejected e Registration Removed Service Specifies which protocol was used for the communication A e External Server Communi service entry is one of H 225 cation Failure H 245 NTP DNS LDAP Neighbor e Incoming Message Gatekeeper e Outgoing Message Message Type Specifies the type of the mes sage e Incoming Message e Outgoing Message 49 TANDBERG Border Controller User Manual Table 4 Event data continued Field Description Applicable events Src ip Specifies the source IP ad dress the IP address of the e Call Attempted device attempting to estab e Call Bandwidth Changed lish communications The e Call Connected source IP is recorded in the e Call Disconnected dotted decimal format num e Call Rejected ber number number number e External Server Communi or the IPv6 colon separated cation Failure format e Incoming Message e Outgoing Message e Policy Change e Registrat
29. C EMC 89 366 ECC TANDBERG Border Controller User Manual 87 TANDBERG Border Controller User Manual References 1 ITU Specification H 235 Security and encryption for H Series H 323 and other H 245 based multimedia terminals 2 ITU Specification H 350 Directory services architecture for multimedia conferencing 3 http www ietf org rfc rfc2782 txt 4 http www ietf org rfc rfc3164 txt 5 http www ietf org rfc rfc3880 txt 6 DNS and BIND Fourth Edition Albitz and Liu O Reilly and Associates ISBN 0 596 00158 4 88 TANDBERG Border Controller User Manual E Glossary Alias The name an endpoint registers with the Border Controller Other endpoints can then use this name to call it ARQ Admission Request An endpoint RAS request to make or answer a call DNS Zone A subdivision of the DNS namespace example com is a DNS zone E 164 An ITU standard for structured telephone numbers Each telephone number consists of a country code area code and subscriber number For example TANDBERG s European Headquarters phone number is 47 67 125125 corresponding to a country code of 47 for Norway area code of 67 for Lysaker and finally 125125 to determine which phone line in Lysaker Gatekeeper Zone A collection of all the endpoints gateways and MCU s managed by a single gatekeeper LRQ Location Request A RAS query between Gatekeepers or Border Controllers to determine the location of an endpoint RAS Reg
30. DD HH MM SS format Using this format permits simple ASCII text sort ing ordering to naturally sort by time This is included due to the limitations of standard syslog timestamps Level The level of the event as defined in section 12 3 All events In addition to the events described above a syslog info event containing the string MARK will be logged once an hour to provide confirmation that logging is still active 12 5 Remote Logging It is often convenient to collect all event logs in a single location A computer running a BSD style syslog server as defined in RFC3164 4 may be used as the central log server ensure that remote logging is enabled A Border Controller will not act as a central logging server for other systems The Border Controller should be configured with the address of the central log server xConfiguration Log Server Address server_address 51 TANDBERG Border Controller User Manual 13 Software Upgrade Software upgrade can be done in one of two ways 1 Using a web browser HTTP HTTPS 2 Using secure copy SCP NOTE To upgrade the Border Controller a valid Release key and software file is required Contact your TANDBERG representative for more information NOTE Configuration is restored after performing an upgrade but we recommend that you make a backup of the existing configuration using the TANDBERG Management Suite before performing the upgrade 13 1 Upgrading Using HTTP S T
31. G or larger telecommunication line cord ISDN cables vii TANDBERG Border Controller User Manual Contents 1 Introduction 1 1 1 TANDBERG Border Controller Overview o o 2 2 Installation 3 2 1 Precautlons 2 2 4 byg cc A A A AA A 3 22 Unpacking vor a Be Gen eee a ee 3 2 3 Mau 4 2 4 Connecting Cables 2 av vr o e e 4 2 5 Switching onthe System o e o 4 2 6 Border Controller Initial Configuration o o 5 3 Getting started 7 3 1 System Administration o e e 7 3 2 BACKUPS ie e A a EEE A 8 3 9 IP Configuration 3 466422 2428448 bee be ee ee edd be dewey x 8 3 4 Registrati0N o o eek 8 3 5 Neighbor Gatekeepers o e ee 9 3 6 Alternate Border Controllers 0 ooo e eee 11 3 7 Callsign ling s s io e Saa s aaa a a a a a RA 12 4 Unregistered Endpoints 15 4 1 Calling from an unregistered endpoint ooa a a 15 4 2 Calling to an unregistered endpoint aooo a 15 4 3 Firewall Traversal 2 2 o 17 5 Bandwidth Control 19 5 1 Bandwidth Control and Firewall Traversal o ran 23 5 2 Bandwidth Control Examples o o eee eee 23 6 Registration Control 26 6 1 Registration Restriction Policy o ooo 26 6 2 Authentication 2 aaa kan 27 7 URI Dialing 30 7 1 Making a call using URI dialing 2 000000004 30 7 2
32. If the provided plug does not fit into your outlet consult an electrician Never install cables or any peripherals without first unplugging the device from it s power source Servicing vi Do not attempt to service the apparatus yourself as opening or removing covers may expose you to dangerous voltages or other hazards and will void the warranty Refer all servicing to qualified service personnel Unplug the apparatus from it s power source and refer servicing to qualified personnel under the following conditions If the power cord or plug is damaged or frayed If liquid has been spilled into the apparatus If objects have fallen into the apparatus If the apparatus has been exposed to rain or moisture If the apparatus has been subjected to excessive shock by being dropped If the cabinet has been damaged TANDBERG Border Controller User Manual If the apparatus seems to be overheated If the apparatus emits smoke or abnormal odor lf the apparatus fails to operate in accordance with the operating instructions Accessories e Use only accessories specified by the manufacturer or sold with the apparatus Communication lines e Never touch uninstalled communication wires or terminals unless the telephone line has been disconnected at the network interface e Do not use communication equipment to report a gas leak in the vicinity of the leak e To reduce the risk of fire use only No 26 AW
33. ML format to the specified URL Up to 15 Expressions may be registered for each of 3 feedback IDs The following Expressions are valid Event Event CallAttempt Event Connected Event Disconnected Event ConnectionFailure Event Registration Event Unregistration Event Bandwidth Status Status Calls Status Registrations History History Calls History Registrations The following would be a typical use Back slashes are used to indicate continuation lines xCommand FeedbackRegister ID 1 URL http 10 1 1 1 SystemManagementService asmx Expression Event CallAttempt Status Registration FeedbackDeregister 14 3 15 FeedbackDeregister xCommand FeedbackDeregister lt ID gt Deregisters the specified Feedback Expression All registered Feedback Expressions may be removed with xCommand FeedbackDeregister 0 LinkAdd 72 TANDBERG Border Controller User Manual 14 3 16 FindRegistration xCommand FindRegistration lt alias gt Returns information about the registration associated with alias alias must be registered on the Border Controller on which the command is issued See also xCommand Locate 14 3 17 LinkAdd xCommand LinkAdd lt linkname gt lt nodel gt lt node2 gt lt pipel gt lt pipe2 gt Adds a new link to the link list 14 3 18 LinkDelete xCommand LinkDelete lt index gt Deletes the indexed link 14 3 19 Locate xCommand Locate Alias lt alias gt HopCount lt count gt Runs the Border Controller s loc
34. P Reports the status of any connection to an NTP server 14 1 9 Pipes xstatus Pipes xstatus Pipes Pipe n Reports call and bandwidth information for all pipes on the system 14 1 10 Registrations xstatus Registrations xstatus Registrations Registration n Returns a list of registered endpoints on the system or information about a specific registration 14 1 11 ResourceUsage xstatus ResourceUsage Reports information about the usage of system resources Registrations Number of currently active registrations MaxRegistrations Maximum number of concurrent registrations since system TraversalCalls Number of currently active traversal calls MaxTraversalCalls Maximum number of traversal calls since sys tem start TotalTraversalCalls Total number of traversal calls since system start 14 1 12 SubZones xstatus SubZones Reports call and bandwidth information for all subzones on the system 14 1 13 SystemUnit xstatus SystemUnit Reports information about the system as follows 57 TANDBERG Border Controller User Manual Product name Uptime SystemTime TimeZone LocalTime Software version Software name Software Build Release date Number of calls supported Number of registered endpoints and services supported Hardware serial number Hardware version 14 1 14 Zones xstatus Zones Reports the call and bandwidth information for all zones on the system Also shows status of the zone as a whole
35. TANDBERG Border Controller User Manual Software version Q5 0 D13691 04 This document is not to be reproduced in whole or in part without permission in writing from TANDBERG TANDBERG Border Controller User Manual Trademarks and copyright Copyright 1993 2006 TANDBERG ASA All rights reserved This document contains information that is proprietary to TANDBERG ASA No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronically mechanically by photocopying or otherwise without the prior written permission of TANDBERG ASA Nationally and internationally recognized trademarks and tradenames are the property of their respective holders and are hereby acknowledged Portions of this software are licensed under 3rd party licenses See the CD accompanying this product for details 3rd party license information may also be obtained from the Border Controller itself see the license command in section 14 6 for details Disclaimer The information in this document is furnished for informational purposes only is subject to change without prior notice and should not be construed as a commitment by TANDBERG ASA The information in this document is believed to be accurate and reliable however TANDBERG ASA assumes no responsibility or liability for any errors or inaccuracies that may appear in this document nor for any infringements of patents or other righ
36. This allows the calls to successfully pass through any firewalls between endpoint and Border Controller If an unregistered endpoint calls the IP address of an endpoint registered with the Border Controller the call may succeed if there are no firewalls in the way Such a call may be forced to pass through the Border Controller by setting Call Routed Mode to On NOTE You are recommended not to dial an endpoint s IP address from an unregistered endpoint The presence of a firewall may disrupt the call Instead place the call to the Border Controller as described in section 4 1 13 TANDBERG Border Controller User Manual Receive Request from Endpoint ARQ or other gatekeeper LRQ pp Locally registered endpoint p Locally SS registered service gt P address literal On local network Indirect Alternates onfigured _ Yes LRQ all Alternates with hopcount 1 Forwarding is 1 No LRQ all alive strong matching Neighbour and Traversal Zones that match the Alias No LRQ all weak matching non Traversal Zones gt lt 14 TANDBERG Search Algorithm o Success return LCF or ACF Failure return LRJ or ARJ Found _ address es S Attempt to locate Call Signaling port using DNS A AAAA Received k LCF Call signaling DV port
37. address of your Gatekeeper This allows the Border Controller to identify and allow H 460 18 19 from your Gatekeeper TANDBERG Border Controller User Manual 5 Bandwidth Control The TANDBERG Border Controller allows you to control endpoints use of bandwidth on your network Figure 8 shows a typical deployment a broadband LAN where high bandwidth calls are acceptable a pipe to the internet with restricted bandwidth and two satellite offices each with their own restricted pipes In order to utilize the available bandwidth efficiently the TANDBERG Border Controller allows you to model your network and bandwidth controls on individual components of the network Bandwidth controls may be set on a call by call basis and on a total concurrent usage basis Enterprise Gatekeeper Figure 8 Typical network deployment All endpoints registered with your Border Controller are part of its local zone As shown in Figure 8 the local zone can contain many different networks with different bandwidth limitations In order to model this the local zone is made up of one or more subzones When an endpoint registers with the Border Controller it is assigned to a subzone based on its IP address By default all endpoints registering with the Border Controller are assigned to the default subzone This is suitable if you have uniform bandwidth available between all your endpoints When you have differing bandwidth provision as in Figure 8 you sho
38. al Configuratio 5 7 nfigui n lame F Password D Save Cancel Q Q Q e Figure 17 Adding Authentication credentials 27 TANDBERG Border Controller User Manual 6 2 2 Authentication using an LDAP server The authentication information can be obtained from an LDAP server The directory on the LDAP server should be configured to implement the ITU H 350 specification to store H 235 credentials for devices that the Border Controller communicates with The directory should also be configured with the H 323 aliases of endpoints that will register with the Border Controller For instructions on how to configure common third party LDAP servers see Appendix B To configure the Border Controller to use the LDAP server directory during authentication issue the following commands xConfiguration Authentication Mode On xConfiguration Authentication Database LDAPDatabase The Border Controller needs to be configured with the area of the directory which will be searched for the communication device information This should be specified as the Distinguished Name DN in the directory under which the H 350 objects reside xConfiguration Authentication LDAP BaseDN Your base DN The Border Controller must also be configured with the location of the LDAP server and the security credentials required to gain access to the LDAP server The following commands are used to configure the LDAP server details xConfiguration LDAP Server Addr
39. alias 41 TANDBERG Border Controller User Manual subfield The following table gives the definition of subfields for each alias type if a subfield is not specified for the alias type being matched then the not present action will be taken address type For all alias types the address type subfield is the string h323 user For URI aliases this selects the username part For H 323 ID s it is the entire ID and for E 164 numbers it is the entire number host For URI aliases this selects the domain name part If the alias is an IP address then this subfield is the complete address in dotted decimal form port For IP addresses this is the port number in deci mal tel For E 164 numbers this selects the entire string of digits alias type Gives a string representation of the type of alias The type is inferred from the format of the alias Possible types are Address Type Result URI url 1D H 323 ID h323 ID Dialed Digits dialedDigits display Not defined for any alias types address The address construct is used within an address switch to specify addresses to match Please note that all address comparisons ignore upper lower case differences so lt address is Fred gt will match fred freD etc is string Selected field and subfield exactly match the given string contains string Selected field and subfield contain the given string Note The CPL standard only allows for this matching on the display subfield
40. an individual endpoint may be registered with any one of the Alternates You should configure Alternates identically for all registration and call features such as authentication bandwidth control and policy If you do not do this endpoint behavior will vary unpredictably depending on which Alternate it is currently registered with Alternates should also be deployed on the same LAN as each other so that they may be configured with the same routing information such as local domain names and local domain subnet masks Each Border Controller may be configured with the IP addresses of up to five Alternates When an endpoint registers with the Border Controller it is presented with the IP addresses of all the Alternates If the endpoint loses contact with its initial Border Controller it will seek to register with one of the Alternates This may result in your endpoint community s registrations being spread over all the Alternates Enterprise Gatekeepers which register with the Border Controller may also be given a list of Alternate Border Controllers to use 11 TANDBERG Border Controller User Manual E Overview amp System Status System Configuration Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials Fileg Local prefix Call routed Auto discovery WF Calls to unknown IP addresses Direct El Allow calls from unregistered callers Fallback
41. and 95 F and between 10 and 90 non condensing relative humidity e Do not place heavy objects directly on top of the Border Controller e Do not place hot objects directly on top or directly beneath the Border Controller Use a grounded AC power outlet for the Border Controller 2 3 Mounting The Border Controller comes with brackets for mounting in standard 19 racks Before starting the rack mounting please make sure the TANDBERG Border Controller is placed securely on a hard flat surface 1 Disconnect the AC power cable 2 Make sure that the mounting space is according to the Installation site preparations in section 2 2 1 3 Attach the brackets to the chassis on both sides of the unit 4 Insert the unit into a 19 rack and secure it with screws 2 4 Connecting Cables Power cable Connect the system power cable to an electrical distribution socket LAN cable Connect a LAN cable from the LAN 1 connector on the front of the unit to your network Null modem RS 232 cable Connect the supplied null modem RS 232 cable between the Bor der Controller s Data 1 connector and the COM port on a PC 2 5 Switching on the System To start the TANDBERG Border Controller make sure that the following has been done e The power cable is connected e The LAN cable is connected TANDBERG Border Controller User Manual Then switch the power switch button on the back of the unit to 1 On the front of the cha
42. and AllowListAdd lt allowed alias gt Adds an entry to the allow list used by the registration restriction policy 14 3 2 AllowListDelete xCommand AllowListDelete lt index gt Removes the pattern from the allow list at the specified index 14 3 3 Boot xCommand Boot Reboots the Border Controller This takes approximately 2 minutes to complete 14 3 4 CallTransfer xCommand CallTransfer Call lt call_index gt Leg lt 1 2 gt Alias lt alias gt Attempts to transfer the call half identified by the call index and leg to the given alias Call and leg indices may be conveniently identified using xstatus calls 14 3 5 CheckBandwidth xCommand CheckBandwidth lt node1 gt lt node2 gt lt bandwidth gt lt calltype gt Diagnostic function for verifying bandwidth control Node1 Node2 are the case sensitive names of the nodes bandwidth the required bandwidth and calltype one of Traversal or NonTraversal 70 TANDBERG Border Controller User Manual 14 3 6 CredentialAdd xCommand CredentialAdd lt username gt lt password gt Adds the given username and password to the local authentication database 14 3 7 CredentialDelete xCommand CredentialDelete lt index gt Deletes the indexed credential 14 3 8 DefaultLinksAdd xCommand DefaultLinksAdd Restores the factory default links for bandwidth control 14 3 9 DefaultValuesSet xCommand DefaultValuesSet Level lt level gt Resets system parameters to default
43. any Gatekeepers on the public network The DNS records should be updated with the address of the Border Controller as the authoritative Gatekeeper for the enterprise This ensures that calls placed using URI dialing enter and leave the enterprise through the Border Controller allowing successful traversal of the firewall The LocalDomain DomainName should be set on both the Gatekeeper and the Border Controller Any Alternates should also have the same LocalDomain Domain Name 7 2 Receiving a call using URI dialing When a call is placed using URI dialing the Border Controller will receive a request containing the dialed URI in the form user host As described in section 7 3 several mechanisms could 30 TANDBERG Border Controller User Manual Overview amp System Status Y System Configuration Border Controller Configuration IP SNMP Misc Upgrade IP Configuration Contiguration IP Ethernet Speed Auto vi IP Protocol ivs gt IP Address fiss 70154234 IP Subnet Mask 255 255 255 248 eel deena Hearty Systemmuet Da IP Gateway 194 70 154 233 IPv6 Address IPv6 Gateway Address 1 158 152 1 58 Address 2 158 152 1 58 RM address 3 158 152 1 58 5 Address 4 158 152 1 58 E Address 5 158 152 1 58 8 Domain J Date and Time Settings D NTP Server P uk pool ntp org G Server Status Active 83 67 64 230 123 ge Timezone GMT z e z2 3 save _ 8 Restart ca D Figure 18 Configuring IP interface
44. are upload in progress Please wait e When the upload is completed you should see the following Si Overview System Status System Configuration IP SNMP Misc Upgrade Software Ugrade Software Complete Software successfully upgraded The system should now be restarted for the new software to take effect Restat e Press Restart You should see a confirmation window j El Overview System Status System Configuration IP SNMP Misc Upgrade Restarting System Restart Next page should automatically be loaded after system has restarted Please Wait If no page has been loaded after 4 minutes press this link e The system will then perform a second reboot to restore system parameters After 3 4 minutes the Border Controller is ready for use 13 2 Upgrading Using SCP Using SCP you need to transfer two files to the Border Controller 1 A text file containing the release key 2 A file containing the software image NOTE Make sure you transfer the release key file before transferring the software image Also make sure you name the files exactly as described below NOTE The release key file should contain just the 16 character release key To upgrade using SCP do the following e Make sure the system is turned on and available on IP e Upload the release key file using scp to the tmp folder on the system e g scp release key root 10 47 8 247 tmp release key e Enter password when prompted e Copy
45. ation algorithm to locate the endpoint identified by the given alias searching locally on neighbors and on systems discovered through the DNS system Results are reported back through the xFeedback mechanism 14 3 20 OptionKeyAdd xCommand OptionKeyAdd lt key gt Adds a new option key 14 3 21 OptionKeyDelete xCommand OptionKeyDelete lt index gt Deletes the indexed option key 14 3 22 PipeAdd xCommand PipeAdd lt name gt lt totalmode gt lt total gt lt percallmode gt lt percall gt Adds and configures a new pipe 73 TANDBERG Border Controller User Manual 14 3 23 PipeDelete xCommand PipeDelete lt index gt Deletes the indexed pipe 14 3 24 RemoveRegistration xCommand RemoveRegistration lt regid gt Removes the specified registration 14 3 25 SubZoneAdd xCommand SubZoneAdd lt name gt lt address gt lt prefixlength gt lt totalmode gt lt total gt lt percallmode gt lt percall gt Adds and configures a new subzone name User assigned label for the subzone address IP address for the sub zone prefix Number of bits which must match for an IP ad dress to be in this subzone totalmode Determines whether bandwidth is controlled for this node None prevents any calls Limited im poses bandwidth limits Unlimited imposes no bandwidth limits 14 3 26 SubZoneDelete xCommand SubZoneDelete lt index gt Deletes the indexed subzone 14 3 27 TraversalZoneAdd xCommand TraversalZoneAdd C
46. ct 14 2 20 TimeZone xconfiguration TimeZone Name lt timezone name gt Sets the local timezone Timezone names follow the POSIX naming convention e g Eu rope London or America New York 14 2 21 Traversal xconfiguration Traversal UDPProbe RetryInterval lt seconds gt Interval with which a failed attempt to establish a UDP channel should be repeated xconfiguration Traversal UDPProbe RetryCount lt count gt Number of attempts at re establishing a failed UDP channel xconfiguration Traversal UDPProbe KeepAlivelnterval lt seconds gt Interval with which a UDP channel should be refreshed xconfiguration Traversal TCPProbe Retrylnterval lt seconds gt Interval with which a failed attempt to establish a TCP channel should be repeated xconfiguration Traversal TCPProbe RetryCount lt count gt Number of attempts at re establishing a failed TCP channel xconfiguration Traversal TCPProbe KeepAliveInterval lt seconds gt Interval with which a TCP channel should be refreshed xconfiguration Traversal Media RTP Port lt port gt 67 TANDBERG Border Controller User Manual UDP port to which media should be sent Conventionally this will be an even numbered port The default is 2776 xconfiguration Traversal Media RTCP Port lt port gt UDP port to which media control information should be sent Conventionally this will be set to RTP port 1 The default is 2777 xconfiguration Traversal AssentEnabled lt On 0ff gt
47. ction 14 3 1 1 Administrator Account All administration requires you to log in to the administration account with a user name admin and a password The default password is TANDBERG which you are recommended to change as soon as possible Choose a strong password particularly if administration over IP is enabled The password can be changed on the web page System Configuration System or through the command line interface using the command xconfiguration systemunit password new_password If you forget your password it is possible to set a new password using the following procedure e Reboot the Border Controller e Connect to the Border Controller over the serial interface once it has restarted e Login with the user name pwrec No password is required e You will be prompted for a new password The pwrec account is only active for one minute following a restart Beyond that time you will have to restart the system again to change the password Because access to the serial port allows the password to be reset it is recommended that you install the Border Controller in a physically secure environment TANDBERG Border Controller User Manual 3 1 2 Root Account The Border Controller provides a root account with the same password as the admin account This account should not be used in normal operation and in particular system configuration should not be conducted using this account use the admin account instead 3 2 Backups You a
48. d connecting through the routing rules as it would through the neighbor relationship Off this will not allow any endpoint registered directly to the Border Controller to call an IP address of any system not also registered directly to that Border Controller See 4 for further detail The default is Indirect xconfiguration Gatekeeper CallTimeToLive lt 60 65534 gt Interval in seconds at which endpoints are polled to verify that they are still in a call The default is 120 seconds xconfiguration Gatekeeper DNSResolution Mode lt On Off gt Determines whether or not DNS lookup of H 323 URI s is enabled on this system The default is On xconfiguration Gatekeeper Downspeed PerCall Mode lt On Off gt Determines whether or not the system will attempt to down speed a call if there is insufficient per call bandwidth configured to fulfill the request The default is On xconfiguration Gatekeeper Downspeed Total Mode lt On Off gt Determines whether or not the system will attempt to down speed a call if there is insufficient total bandwidth available to fulfill the request The default is On xconfiguration Gatekeeper ForwardLocationRequests lt Qn Off gt 60 TANDBERG Border Controller User Manual Determines behavior on receipt of a location request LRQ from another Gatekeeper If set to on the Border Controller will first try to resolve the request locally If it cannot the request will be forwarded to neighbor Gateke
49. d as described in section 9 1 in order to provide firewall traversal 9 3 Dialing Public IP addresses Figure 22 shows a private endpoint 1001 calling an endpoint on a public IP address In this case the public endpoint is not registered to a Gatekeeper and can only be reached using its IP address In order to successfully traverse the firewall it is necessary for the call to be relayed through the Border Controller the TANDBERG Gatekeeper should not attempt to place the call directly to the public endpoint 36 TANDBERG Border Controller User Manual Enterprise Border Controller MCU Gatekeeper 213 228 193 162 Figure 22 Dialing a public IP address In order to achieve this e Within the Gatekeeper configuration set Calls to unknown IP addresses to Indirect This setting will force the Gatekeeper to forward calls to any IP address it does not have locally registered to the TANDBERG Border Controller thereby allowing the Border Controller itself to relay the call to the endpoint on the public IP address e On the Border Controller configure Calls to unknown IP addresses to Direct This setting will allow the Border Controller to connect any call that it receives from the internal Gatekeeper out to systems on the public Internet e From Endpoint 1001 dial 213 228 193 162 9 4 Neighbored enterprises If two sites have deployed Border Controllers for firewall traversal the two Border Controllers may be n
50. d endpoint to the Border Controller The Border Controller will then resolve the alias and place the call as normal Not all endpoints allow you to enter an alias and an IP address to which the call should be placed In that case you can simply place the call to the IP address of the Border Controller with no alias information The Border Controller may be configured to associate all such anonymous calls with a single destination alias This is achieved with the command xConfiguration Gatekeeper Unregistered Caller Fallback lt destination gt 4 2 Calling to an unregistered endpoint Overview System Status System Configuration amp Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials Filed Local prefix 0 Call routed Auto discovery HF Calls to unknown IP addresses Direct gt Allow calls from unregistered callers Ez Fallback alias for unregistered caler destination gt Figure 7 Calling an unknown IP address Calls can be placed to an unregistered endpoint by dialing its IP address or using an H 323 URI if the DNS system has been appropriately configured If URI dialing is used DNS is queried for a call signaling address and if found the call is placed to that address See section 7 for details of how to configure the Call Signalling SRV Record It is sometimes undesirable for a system to place a call to an IP address directly Instead
51. e Border Controller Configuration Services shown in figure 23 i Overview amp System Status System Configuration Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials Files Service Configuration ad Call Transfer Allow call transfer r Figure 23 Enabling call transfer 10 3 Disconnecting a call An existing call may be disconnected by issuing the command 39 TANDBERG Border Controller User Manual xCommand DisconnectCall lt index gt where index is the call index as reported by xStatus Calls 40 TANDBERG Border Controller User Manual 11 Call Policy Your TANDBERG Border Controller allows you to set up policy to control which calls are allowed and even redirect selected calls to different destinations You specify this policy by uploading a script written in the Call Processing Language CPL Each time a call is made the Border Controller executes the script to decide based on the source and destination of the call whether to e Proxy the call to its original destination e Redirect the call to a different destination e Reject the call The Border Controller will only execute scripts for source or destinations which are registered directly with the system The CPL script is uploaded via the Web interface under the Border Controller Configuration Files web page The execution of the CPL script is controlled by th
52. e setting xConfiguration Gatekeeper Policy Mode lt On Off gt Policy interacts with authentication section 6 2 If authentication is enabled on the local Border Controller and a call is received from a remote unauthenticated Gatekeeper the call s source aliases will be removed from the call request before it is passed to the policy engine This is because the unauthenticated source aliases could be forged and so should not be used for policy decisions in a secure environment The following sections give details of the Border Controller s implementation of the CPL language and should be read on conjunction with the CPL standard RFC 3880 5 11 1 Making Decisions Based on Addresses 11 1 1 address switch The address switch node allows the script to run different actions based on the source or destination aliases of the call The address switch specifies which fields to match and then a list of address nodes contains the possible matches and their associated actions The supported attributes on an address switch and their interpretation are as follows field origin Match against the source aliases destination Match against the destination aliases original destination Match against the destination aliases If the selected field contains multiple aliases then the Border Controller will attempt to match each address node with all of the aliases before proceeding to the next address node i e an address node matches if it matches any
53. ecifies the detail at which to trace 0 3 3 gives most logging ipaddr Specify up to 10 IP addresses to log information for all if none specified 77 TANDBERG Border Controller User Manual Setting syslog 0 will turn off tracing 78 TANDBERG Border Controller User Manual A Appendix Configuring DNS Servers In the examples below we set up an SRV record to handle H 323 URIs of the form user example com These are handled by the system with the fully qualified domain name of gatekeeper1 example com which is listening on port 1719 the default registration port It is assumed that an A record already exists for gatekeeper1 example com If not you will need to add one A 1 Microsoft DNS Server It is possible to add the SRV record using either the command line or the MMC snap in To use the command line on the DNS server open a command window and enter dnscmd RecordAdd domain service_name SRV service_data Where domain is the domain into which you wish to insert the record service name the name of the service youre adding and service data the priority weight port and server providing the service as defined by RFC 2782 For example dnscmd RecordAdd example com _h323ls _udp SRV 1 0 1719 gatekeeper1 example com A 1 1 BIND88 amp 9 BIND is a commonly used DNS server on UNIX and Linux systems Configuration is based around two sets of text files named conf which describes which zones are represented by the server a
54. eighbored to allow calls to be placed from one enterprise to another Neighboring will reduce call setup time compared to URI dialing described in section 7 The disadvantage of neighboring is that the Border Controllers have to be configured with each others addresses before the call can be made Gatekeeper and matching Border Controller are neighbored as described in section 9 1 Border Controller A and B are neighbored together either with or without prefixes 9 5 URI dialing from within the enterprise e Turn URI dialing OFF on the TANDBERG Gatekeeper You want to use the Border Controller to resolve any H 323 URI received e Ensure that DNS Resolution Mode is turned on at the TANDBERG Border Controller You want to use the Border Controller to resolve any H 323 URI received e Configure the local domain name on both the Gatekeeper and the Border Controller e Configure the Border Controller with the address of a public DNS server 37 TANDBERG Border Controller User Manual e From an endpoint in enterprise A dial the full H 323 URI For example Ben EnterpriseB com Border Controller B is registered in DNS as responsible for enterprise B and will receive the incoming call and route it accordingly URI dialing will send all queries for a particular domain to the same Border Controller If you want to have URI dialing covering multiple Border Controllers nominate one as the master That system is registered in DNS and is set up with a
55. epers The default is On xconfiguration Gatekeeper LocalDomain DomainName DNS name of the domain that the Gatekeeper is responsible for Used when searching for matching endpoint registrations xconfiguration Gatekeeper LocalPrefix lt prefix gt Set the local zone prefix of the system xconfiguration Gatekeeper Policy Mode lt On 0ff gt Determines whether or not the CPL policy engine is active The default is On xconfiguration Gatekeeper Registration AllowList 1 1000 Pattern lt pattern gt Specifies a pattern in the registration allowed list If one of an endpoint s aliases matches one of the patterns in the AllowList the registration will be allowed xconfiguration Gatekeeper Registration ConflictMode lt Overwrite Reject gt Determines how the Border Controller will behave if an endpoint attempts to register aliases currently registered from another IP address The default is Reject xconfiguration Gatekeeper Registration DenyList 1 1000 Pattern lt pattern gt Specifies a pattern in the registration denied list If one of an endpoint s aliases matches one of the patterns in the DenyList the registration will be denied xconfiguration Gatekeeper Registration RestrictionPolicy lt None AllowList DenyList gt Policy in use to determine who may register with the system The default is None xconfiguration Gatekeeper TimeToLive lt 60 65534 gt The interval at which the system polls the endpoint in order to verify
56. epers and Border Controllers in your deployment A hierarchical dial plan can simplify this One Gatekeeper is nominated as the directory gatekeeper for the deployment All Border Controllers and public Gatekeepers are neighbored with it and vice versa There is no need to neighbor the Border Controllers and public Gatekeepers with each other Adding a new Border Controller or public Gatekeeper now only requires changing configuration on that system and the Directory Gatekeeper Failure of the directory gatekeeper could cause significant disruption to communications Con sideration should be given to the use of Alternate Gatekeepers section 3 6 for increased resilience Neighbors are added and zones configured through the command line interface using the xconfiguration zones family of command xCommand ZoneAdd or through the web interface Border Controller Configuration Zones as shown in Figure 4 The prefixes and suffixes described above are formed using patterns each zone may have up to 5 patterns assigned each of which may be defined as a prefix or a suffix Patterns are not used and not displayed on the web interface if the pattern match mode is set to always or disabled 3 5 1 Search Order If a called alias matches a prefix or suffix zone a strong match is achieved A weak match is achieved if a zone is to be queried only because it has no pattern matching configured When an incoming call request is received a Border Controller w
57. er Controller tries to resolve this address and supplies the calling endpoint with information about the called endpoint The destination address can take several forms IP address H 323 ID E 164 alias or a full H 323 URI When an H 323 ID or E 164 alias is used the Border Controller looks for a match between the dialed address and the aliases registered by its endpoints If no match is found it may query other Gatekeepers and Border Controllers 12 TANDBERG Border Controller User Manual When dialing by H 323 URI the destination address resembles an email address The Border Controller first follows the procedure for matching H 323 IDs If that fails it looks for a Gatekeeper or Border Controller responsible for the domain the part of the URI following the symbol and queries that device Dialing by IP address is necessary when the destination endpoint is not registered with a Gatekeeper or Border Controller If it is registered then one of the other addressing schemes should be used instead as they are more flexible From your registered endpoint dial the IP address of the endpoint you wish to call This requires that the Border Controller has xConfiguration Gatekeeper CallToUnknownIPAddresses correctly configured See section 4 2 Figure 6 illustrates the process the Border Controller performs when receiving call requests Most calls to an endpoint registered with a Border Controller will be routed through the Border Controller
58. er can be encrypted using Transport Layer Security TLS To use TLS the LDAP server must have a valid certificate installed so that the Border Controller can verify the server s identity For more information on setting up certificates using common LDAP servers see Appendix B LDAPS uses port 636 as its default communications port Using the terminal interface TLS can be enabled with the following command xConfiguration LDAP Encryption TLS TLS can also be enabled via the web interface using the Border Controller Configuration Gatekeeper page The Border Controller will now only communicate with the LDAP server using TLS To verify the identity of the LDAP server the certificate of the Certificate Authority CA that issued the LDAP server with its certificate must be uploaded to the Border Controller To install the CAs certificate navigate to the Border Controller Configuration Files page and upload the CA certificate as a Trusted CA certificate 29 TANDBERG Border Controller User Manual 7 URI Dialing 7 1 Making a call using URI dialing If an alias is not located in the Border Controller s list of registrations it may attempt to find an authoritative Gatekeeper through the DNS system URI dialing makes it easier for endpoints registered with different Gatekeepers or Border Con trollers to call each other Without URI dialing you need to neighbor all the systems to each other This does not scale well as the number
59. es the corresponding pattern If the mode is set to Disabled the zone will never be queried xconfiguration Zones TraversalZone 1 100 Match 1 5 Pattern String lt pattern gt The pattern to be used when deciding whether or not to query a zone This is only used if the zone s match mode is set to PatternMatch xconfiguration Zones TraversalZone 1 100 Match 1 5 Pattern Type lt Prefix Suffix gt 68 TANDBERG Border Controller User Manual Determines whether the pattern string being checked should appear at the beginning or end of an alias xconfiguration Zones TraversalZone 1 100 Match 1 5 Pattern Behaviour lt Strip Leave gt Determines whether the matched pattern should be removed from the alias before an LRQ is sent to the indicated zone xconfiguration Zones Zone 1 100 Name lt name gt An administrator specified name for the zone xconfiguration Zones Zone 1 100 Gatekeeper 1 6 Address lt address gt Specifies the IP addresses of the gatekeepers in the zone Multiple addresses allows support for alternate gatekeepers xconfiguration Zones Zone 1 100 Gatekeeper 1 6 Port lt port gt Specifies the port on which the indexed gatekeeper is listening for RAS messages xconfiguration Zones Zone 1 100 HopCount lt count gt Specifies the hop count to be used when originating an LRQ xconfiguration Zones Zone 1 100 Monitor lt On Off gt If zone monitoring is enabled an LRQ will be peri
60. ess ldap server address xConfiguration LDAP Server Port 389 xConfiguration LDAP UserDN Your user DN xConfiguration LDAP Password password The status of the connection between the Border Controller and the LDAP server can be verified using the command xstatus LDAP The details of the LDAP server can also be configured via the web interface on the Border Controller Configuration Gatekeeper page 6 2 3 Enforced dial plans If LDAP authentication is in use you may control what aliases an endpoint is allowed to register with This allows you centralised control of your dial plan When an endpoint registers it presents a list of aliases it wishes to use These may be used replaced by those in the H 350 directory or combined with those in the directory This behaviour is controlled by the command xConfiguration Authentication LDAP AliasOrigin lt LDAP Endpoint Combined gt By default the LDAP aliases will be used and those presented by the endpoint ignored If the AliasOrigin is set to LDAP but no aliases are present in the LDAP database for the endpoint which is registering then the endpoint s aliases will be used If AliasOrigin is set to Combined the endpoint will be registered with both the aliases which it has presented and those configured in the LDAP database 28 TANDBERG Border Controller User Manual 6 2 4 Securing the LDAP connection with TLS The traffic between the Border Controller and the LDAP serv
61. essages from third party processes which are used in the Border Controller product For all messages logged from the tandberg process the message details field is structured to allow easy parsing It consists of a number of human readable name value pairs separated by a space The first two fields are always Field Example Description Time Time 2006 20 01 14 02 17 The UTC date and time at which the event was generated Event Event RegistrationRequest The event which caused the log message to be generated and the last field of the message is always the event level Field Example Description Level Level 1 The level of the event being logged 46 12 3 Event Levels TANDBERG Border Controller User Manual Events are classified by importance as detailed in the table below Level 1 is considered the most important The system has a configured logging level Events of level numerically equal to and lower than the configured logging level are recorded in the event log Table 1 Event levels Level Description Level 1 User Level 2 Protocol Level 3 Protocol Verbose 12 4 Logged Events The Events logged as are follows Table 2 Easily human readable Examples e call attempt connected disconnected e registration attempt accepted rejected Logs of protocol messages sent and received Protocol keepalives are suppressed at Level 2 At logging level 3 keepalives are also logged Events logged at level 1
62. g per call bandwidth restrictions None corre sponds to no bandwidth available xconfiguration SubZones SubZone 1 100 Bandwidth Total Limit lt 1 100000000 gt Total bandwidth available on the indexed subzone xconfiguration SubZones SubZone 1 100 Bandwidth Total Mode lt None Limited Unlimited gt Whether or not the indexed subzone is enforcing total bandwidth restrictions None corresponds to no bandwidth available xconfiguration SubZones SubZone 1 100 Name lt subzonename gt Name of the indexed subzone xconfiguration SubZones SubZone 1 100 Subnet IP Address lt IPAddr gt IP to match an endpoint which belongs in this subzone xconfiguration SubZones SubZone 1 100 Subnet IP PrefixLength lt IPAddr gt Number of bits which must match for an IP address to belong in this subzone 66 TANDBERG Border Controller User Manual 14 2 18 SystemUnit xconfiguration SystemUnit Name lt name gt The name of the unit Choose a name that uniquely identifies the system xconfiguration SystemUnit Password lt password gt Specify the password of the unit The password is used to login with Telnet HTTP S SSH SCP and on the serial port To set an empty password type xconfiguration SystemUnit Password 14 2 19 Telnet xconfiguration Telnet Mode lt On Off gt Enables disables Telnet support For secure operation you should use ssh in preference to telnet You must restart the system for changes to take effe
63. his is described in more detail in section 9 3 TANDBERG Border Controller User Manual 4 3 Firewall Traversal The Border Controller works with the TANDBERG Gatekeeper TANDBERG Expressway end points and other endpoints which support the ITU H 460 18 and H 460 19 standards The Border Controller supports two different firewall traversal protocols Assent and H 460 18 H 460 19 Assent is TANDBERG s proprietary protocol in use since the N2 Q1 software releases H 460 18 and H 460 19 are ITU standards which define protocols for the firewall traversal of signaling and media respectively These standards are based on the original TANDBERG Assent protocol In order to successfully traverse a firewall the firewall is required to allow initial outbound traffic to designated ports on the border controller and return traffic from those ports For a traversal zone using the Assent protocol the default ports are e UDP 1719 e TCP 2776 e UDP 2776 e UDP 2777 Non traversal calls calls to the public internet send traffic to ports determined by the receiving endpoint and from ports Traffic is sent from UDP ports 1719 and 50 000 52 400 and TCP ports 15 000 16 800 and 19 000 20 800 If you are using H 460 18 19 for firewall traversal different ports are involved e UDP 1719 e TCP 1720 e TCP 2777 e UDP 2776 e UDP 2777 Having the firewall only accept incoming data from the IP address and port to which data has already been sent allo
64. ial an E 164 number a telephone number which is converted in to an H 323 URI by the DNS system The rules for URI dialing are then followed to place the call This allows you to retain the flexibility of URI dialing whilst having the simplicity of calling using just a number Before the DNS lookup can be performed the E 164 number must be transformed into a host name To do this the digits are reversed and separated by a dot similar to the way DNS PTR records are formed The DNS zone is then appended If an ENUM root of e 164 example com is being used and the dialled number is 47 67 125 125 then the transformed host name is 5 2 1 5 2 1 7 6 7 4 e164 example com RFC 3761 which defines the ENUM standard specifies that the DNS zone for ENUM is e164 arpa Use of this DNS zone requires that your E 164 numbers are assigned by an appropriate national regulatory body Not all countries are yet participating in ENUM so it may be useful to use an alternative DNS zone for ENUM This could either be within your corporate DNS zone or could use a public ENUM database such as http www e164 org The DNS zone used for ENUM contains NAPTR records as defined by RFC 2915 These provide the mapping between E 164 numbers and H 323 URIs The Border Controller may be configured with up to 5 DNS zones to search for a NAPTR record It will iterate through them in order stopping when the first record is found 8 1 Configuring ENUM ENUM support is di
65. ill continue to use its existing policy e time switch e string switch e language switch time switch priority switch redirect e mail e log subaction e lookup remove location 11 4 CPL Examples 11 4 1 Call screening Only allow calls from users with authenticated source addresses See section 6 2 for details on how to enable authentication lt cpl gt lt incoming gt lt address switch field origin gt lt not present gt lt reject gt lt not present gt lt address switch gt lt incoming gt lt cpl gt 11 4 2 Selective Call Screening User fred will not accept calls from anyone at annoying com or from any unauthenticated users All other users will allow any calls lt cpl gt lt incoming gt lt address switch field destination gt 44 TANDBERG Border Controller User Manual lt address is fred gt lt address switch field origin subfield host gt lt address subdomain of annoying com gt lt reject gt lt address gt lt otherwise gt lt proxy gt lt otherwise gt lt not present gt lt reject gt lt not present gt lt address switch gt lt address gt lt address switch gt lt incoming gt lt cpl gt 11 4 3 Call Redirection Redirect all calls to user barney to voicemail lt cpl gt lt incoming gt lt address switch field destination gt lt address is barney gt lt location clear yes url barney voicemail gt
66. ill first search all of its registered endpoints If no match is found all strongly matching neighbor and traversal zones will be queried 10 TANDBERG Border Controller User Manual i Overview amp System Status System Configuration amp Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials Add New Zone Configuration Name Gatekeeper 1 Address Port 1719 Gatekee per 2 Address Port 11719 Gatekeeper 3 Address Port 1719 Gatekeeper 4 Address Port 11719 Gatekeeper 5 Address Port 1719 Gatekee per 6 Address Port 11719 Hop Count p a 5 Monitor On vi o Match 1 Mode Always Match v Match 2 Mode Disabled y g Match 3 Q a Mode Disabled vil D Match 4 Q Mode Disabled Ej 3 Match 5 o Mode Disabled vi D I Figure 4 Adding a new zone concurrently If the target is not found in any of the strongly matching zones all weakly matching neighbor zones will be queried then all weakly matching traversal zones Finally if a match has still not been found a DNS query may be attempted as described in section 7 3 6 Alternate Border Controllers Alternate Border Controller support is provided to increase the reliability of your deployment If one Border Controller becomes unavailable perhaps due to a network or power outage another will be used as an Alternate Alternates share responsibility for their endpoint community
67. ion Accepted e Registration Rejected e Registration Removed e Registration Requested Dst ip Specifies the destination IP ad As Src ip dress the IP address of the des tination for a communication at tempt The destination IP is recorded in the same format as Src ip Dst port Specifies the destination port As Src ip the IP port of the destination for a communication attempt Src port Specifies the source port the IP As Src ip port of the device attempting to establish communications Src Alias e f present the first H 323 e Registration Requested Alias associated with the e Call Attempted originator of the message e Call Connected e If present the first E 164 e Call Disconnected Alias associated with the e Call Rejected originator of the message e Call Bandwidth Changed e Incoming Message e Outgoing Message Included if event parameter relevant or available for message concerned 50 TANDBERG Border Controller User Manual Table 4 Event data continued Field Description Applicable events Dst Alias e If present the first H 323 e Registration Accepted Alias associated with the e Registration Removed recipient of the message e Registration Rejected e If present the first E 164 e Call Attempted Alias associated with the e Call Connected recipient of the message e Call Disconnected e Call Rejected e Incoming Message e Outgoing Message e Call Bandwidth Changed Time A full UTC timestamp in All Events YYYY MM
68. ions None corresponds to no bandwidth available xconfiguration SubZones DefaultSubZone Bandwidth Total Limit lt 1 100000000 gt Total bandwidth available on the default subzone 65 TANDBERG Border Controller User Manual xconfiguration SubZones DefaultSubZone Bandwidth Total Mode lt None Limited Unlimited gt Whether or not the default subzone is enforcing per call bandwidth restrictions None corresponds to no bandwidth available xconfiguration SubZones TraversalSubZone Bandwidth PerCall Limit lt 1 100000000 gt Per call bandwidth available on the traversal subzone xconfiguration SubZones TraversalSubZone Bandwidth PerCall Mode lt None Limited Unlimited gt Whether or not the traversal subzone is enforcing per call bandwidth restrictions None corre sponds to no bandwidth available xconfiguration SubZones TraversalSubZone Bandwidth Total Limit lt 1 100000000 gt Total bandwidth available on the traversal subzone xconfiguration SubZones TraversalSubZone Bandwidth Total Mode lt None Limited Unlimited gt Whether or not the traversal subzone is enforcing total bandwidth restrictions None corresponds to no bandwidth available xconfiguration SubZones SubZone 1 100 Bandwidth PerCall Limit lt 1 100000000 gt Per call bandwidth available on the indexed subzone xconfiguration SubZones SubZone 1 100 Bandwidth PerCall Mode lt None Limited Unlimited gt Whether or not the indexed subzone is enforcin
69. istration Admission and Status Protocol Protocol used between endpoints and Border Controller to register and place calls Traversal call An H 323 call which uses a Border Controller The Border Controller cooperates with the endpoint or TANDBERG gatekeeper to allow communication through a firewall All signaling and media is routed through the Border Controller Zone See DNS Zone and Gatekeeper Zone 89 Index about 77 account administrator 7 root 8 ActiveDirectory see LDAP servers Admission Request 89 alias 8 10 26 89 AllowList 26 61 AllowListAdd 70 AllowListDelete 70 alternate gatekeeper 10 12 60 69 Assent 17 18 authentication 27 29 44 59 64 and CPL 41 credential 59 mode 59 backup 8 bandwidth control 19 25 call policy 41 45 61 Call Processing Language see CPL call routed 13 39 60 certificate 29 clear 77 CPL 41 examples 44 45 default enum zone 33 IP address 5 71 password 5 DefaultLinksAdd 25 DenyList 26 61 dial plan enforced 28 59 flat 10 hierarchical 10 structured 10 directory gatekeeper 10 DNS 6 11 30 33 38 60 61 SRV record 31 79 zone 89 domain local 9 down speed 21 60 E 164 10 12 33 89 ENUM 33 34 ethernet 59 event log 4651 remote 51 verbosity 46 eventlog 77 Expressway 1 external manager 56 59 feedback 56 76 firewall 17 23 89 gatekeeper discovery 6 8 60 zone 89 H 235 see also authentication
70. keepers and Border Controllers When a system receives a call for an endpoint which is not registered with it will send out a Location Request to all the other Gatekeepers and Border Controllers on the system Whilst conceptually simple this sort of flat dial plan does not scale very well adding or moving a Gatekeeper requires changing the configuration of every Gatekeeper and Border Controller one call attempt can result in a large number of location requests An alternative deployment would use a structured dial plan endpoints are assigned an alias based on the system they are registering with Using E 164 aliases each Gatekeeper or Border Controller would be assigned an area code When the Gatekeepers and Border Controllers are neighbored together each neighbor is configured with its corresponding area code as a prefix That neighbor will now will only be queried for calls to numbers which begin with its prefix In a URI based dial plan similar behaviour may be obtained by configuring neighbors with a suffix to match the desired domain name It may be desirable to have endpoints register with just the subscriber number the last part of the E 164 number In that case the Border Controller should be configured to strip prefixes before placing the Location Request A structured dial plan will minimize the number of location requests issued when a call is attempted but as described above still requires a fully connected mesh of all Gateke
71. l and International Regulations for waste of electronic equipment TANDBERG Border Controller User Manual Operator Safety Summary For your protection please read these safety instructions completely before you connect the equipment to the power source Carefully observe all warnings precautions and instructions both on the apparatus and in these operating instructions Keep this manual for future reference Water and Moisture e Do not operate the apparatus under or near water for example near a bathtub kitchen sink or laundry tub in a wet basement near a swimming pool or in other areas with high humidity e Never install jacks for communication cables in wet locations unless the jack is specifically designed for wet locations e Do not touch the product with wet hands Cleaning e Unplug the apparatus from communication lines mains power outlet or any power source before cleaning or polishing Do not use liquid cleaners or aerosol cleaners Use a lint free cloth lightly moistened with water for cleaning the exterior of the apparatus e Unplug the apparatus from communication lines before cleaning or polishing Do not use liquid cleaners or aerosol cleaners Use a lint free cloth lightly moistened with water for cleaning the exterior of the apparatus Ventilation e Do not block any of the ventilation openings of the apparatus Never cover the slots and openings with a cloth or other material Never install the appara
72. ld disable HTTP and Telnet using the encrypted HTTPS and SSH protocols instead For increased security disable HTTPS and SSH as well using the serial port to manage the system NOTE If you do not have an IP gateway configure the Border Controller with an unused IP address that is valid in your subnet TANDBERG Border Controller User Manual 3 Getting started 3 1 System Administration To configure and monitor the TANDBERG Border Controller you can either use the web interface or a command line interface The command line interface is available over SSH Telnet and through the serial port By default administration sessions remain active until you logout Session timeouts may be enabled using the xConfiguration Session TimeOut command To enter commands you should start a session and login with user name admin and your password The interface groups information in different commands xstatus Provides a read only interface to determine the current status of the system Information such as current calls and registrations is available through this command group xconfiguration A read write interface to set system configuration data such as IP address and subnet xcommand miscellaneous group of commands for setting information or obtaining it xhistory Provides historical information about calls and registrations xfeedback An event interface providing information about calls and registrations A command reference is given in se
73. ll the other Border Controllers and Gatekeepers as neighbors When the master receives a URI dialing request for an endpoint it does not know about it will query its neighbors 38 TANDBERG Border Controller User Manual 10 Third Party Call Control The Border Controller provides a third party call control API which enables you to place calls or initiate a blind transfer of an existing call The API is provided through the command line interface 10 1 Placing a call xCommand Dial may be used to place a call between two endpoints A and B To initiate the call xCommand Dial A B This will return immediately and the Border Controller will attempt to place the call Like other asynchronous Border Controller commands progress information may be obtained by registering for feedback xFeedback Register status call 10 2 Transferring a call A call may be transferred with the command xCommand CallTransfer Call call_index Leg leg index Alias dest call_index and leg_index are used to determine which call and participant is to be transferred These indices may be determined through inspection of the output of xStatus Calls The endpoint denoted by leg_index will be disconnected and replaced by the endpoint corre sponding to dest The Border Controller must be operating in call routed mode and call transfer must be enabled either with the command xConfiguration Services CallTransfer Mode lt On Off gt or through the web pag
74. located Feed URIs back in priority order to Location Search algorithm Attempt to locate Call LRQ foreign Signaling port using DNS SRV gatekeeper A pp lt Foreign Ny gatekeeper Yes located Attempt to locate foreign gatekeeper using DNS SRV address Yes LR from Known lt lt GK received by Q pr P lt Received Yo Ler P LRQ all weak _ Received No matching Traversal LCR Zones Figure 6 Location decision flow diagram semble E 164 gt Empty candidate Ny set of URIs Q lt Perform E 164 URI resolution using ENUM algorithm Yes Yes ARG from 4 gistered EP and alias does gt nat contain local domain No TANDBERG Border Controller User Manual 4 Unregistered Endpoints Although most calls are made between endpoints registered with a Gatekeeper or Border Controller it is sometimes necessary to place a call to or from an unregistered endpoint 4 1 Calling from an unregistered endpoint An unregistered endpoint can call an endpoint registered with the Border Controller If there are no firewalls between the unregistered endpoint and the called endpoint it is possible though not recommended to place the call by dialing the target endpoint s IP address A better way of placing the call from an unregistered endpoint is to pass the alias of the calle
75. m e The Ethernet speed f The local zone prefix if any you want to use for the zone controlled by this system g Whether you want to use SSH to administer the system h Whether you want to use Telnet to administer the system You will be prompted to login again You should see a welcome message like this TANDBERG Border Controller User Manual Welcome to TANDBERG Border Controller Release Q5 0 SW Release Date 2006 06 15 OK 10 Login with username admin and your password 11 Review other system settings You may want to set the following a The name of the Border Controller This is used to identify the Border Controller by the TANDBERG Management Suite See the xConfiguration SystemUnit command in section 14 2 18 for more information on setting the name g Automatic discovery If you have multiple Border Controllers in the same network you may want to disable automatic discovery on some of them See the xConfiguration Gatekeeper AutoDiscovery command in section 14 2 4 c The DNS server address and the domain name if the Border Controller will be con figured with hostnames instead of IP address or if URI dialing is required See xConfiguration IP DNS Server Address command in section 14 2 6 for more infor mation 12 Reboot the Border Controller by typing the command xCommand boot to make your new settings take effect 13 Disconnect the serial cable NOTE To securely manage the Border Controller you shou
76. m of the WEEE Directive and RoHS Directive is to reduce the impact of disposal of electrical and electronic equipment at end of life The WEEE Directive aims to reduce the amount of WEEE sent for disposal to landfill or incineration by requiring producers to arrange for collection and recycling The RoHS Directive bans the use of certain heavy metals and brominates flame retardants to reduce the environmental impact of WEEE which is land filled or incinerated TANDBERG has implemented necessary process changes to comply with the European RoHS Directive 2002 95 EC and the European WEEE Directive 2002 96 EC Waste Handling In order to avoid the dissemination of hazardous substances in our environment and to diminish the pressure on natural resources we encourage you to use the appropriate take back systems in your area Those systems will reuse or recycle most of the materials of your end of life equipment in a sound way TANDBERG Border Controller User Manual TANDBERG products put on the market after August 2005 are marked with a crossed out wheelie bin symbol that invites you to use those take back systems Please contact your local supplier the regional waste administration or http www tandberg net recycling if you need more information on the collection and recycling system in your area Information for Recyclers As part of compliance with the European WEEE Directive TANDBERG provides recycling information on request for all ty
77. n Authentication LDAP AliasOrigin lt LDAP Endpoint Combined gt Specifies which aliases from the endpoint or the database should be used to register the endpoint Defaults to LDAP xconfiguration Authentication Mode lt On 0ff gt Whether or not to use H 235 authentication of calls and registrations The default is Off no authentication is required 14 2 2 Ethernet xconfiguration Ethernet Speed lt Auto 10half 10full 100half 100full gt Sets the speed of the Ethernet link Use auto to automatically configure the speed To get the current speed use xstatus Ethernet Speed You must restart the system for changes to take effect The default is Auto 14 2 3 ExternalManager xconfiguration ExternalManager Address lt IPAddr gt Sets the IP address of the External Manager The External Manager is the remote system such as the TANDBERG Management System TMS used to manage endpoints and network infrastructure xconfiguration ExternalManager Path lt path gt Sets the URL of the External Manager 14 2 4 Gatekeeper Commands under the Gatekeeper node control aspects of the systems operation relating to its operation as an H 323 gatekeeper xconfiguration Gatekeeper Alternates Monitor lt Qn Off gt 59 TANDBERG Border Controller User Manual Controls whether or not alternate gatekeepers are periodically interrogated to ensure that they are still functioning Non functional alternates will not receive Location
78. n rejected The Reason event parameter contains a textual representation of the H 225 additional cause code Call Bandwidth Changed The bandwidth of a call has changed External Server Communication Failure Communication with an external server failed unexpectedly The event detail data should differentiate between no response and re quest rejected i e NACK rather than silence Servers concerned are e DNS LDAP servers Neighbor Gatekeeper NTP servers System Start The operating system has started System Shutdown The operating system was shutdown Application Start The Border Controller has started Further detail may be provided in the event data detail field Application Failed The Border Controller application is out of ser vice due to an unexpected failure License Limit Reached Licensing limits for a given feature have been reached The event detail field specifies the facility limits concerned Possible values for the detail field are e Non Traversal Call Limit Reached e Traversal Call Limit Reached 48 TANDBERG Border Controller User Manual Table 3 Events logged at level 2 Event Description Incoming Message An incoming message has been received Outgoing Message An outgoing message has been sent 12 4 1 Event data Each Event will have associated data fields Fields are listed below in the order in which they appear in the log message Table 4 Event data Field Description
79. nd Regulations 47CFR Part 2 Part 15 e CISPR PUB 22 Class A EMC Immunity e EN 55024 1998 A1 2001 e EN 61000 3 2 2000 e EN 61000 3 3 1995 A1 2001 Electrical Safety e IEC 60950 1 edition 2001 e EN 60950 1 edition 2001 A11 2004 e UL 60950 1 1st Edition e CSA 60950 1 03 85 TANDBERG Border Controller User Manual D Technical Specifications System Capacity 500 registered traversal endpoints 100 traversal calls at 384 kbps 100 zones Option keys may restrict the system to a lower capacity than specified above Ethernet Interfaces 3 x LAN Ethernet RJ 45 10 100 Base TX 2 disabled System console port 2 x COM ports front and rear RS 323 DB 9 connector 2 x USB disabled ITU standards ITU T H 323 version 5 including Annex O ITU T H 460 18 H 460 19 ITU T H 235 ITU T H 350 Security Features IP Administration passwords Management via SSH and HTTPS Software upgrade via HTTPS and SCP System Management Configuration via serial connection Telnet SSH HTTP HTTPS Software upgraded via HTTP HTTPS and SCP Environmental Data Operation temperature 0 C to 35 C 32 F to 95 F Relative humidity 10 to 90 non condensing 86 Physical Dimensions Height 4 35 cm 1 72 inches Width 42 6 cm 16 8 inches Depth 22 86 cm 9 inches 1U rack mounted chassis Hardware Hardware MTBF 80 479 hours Power supply 250 Watt 90 264V full range 47 63 Hz Certification LVD 73 23 E
80. nd a selection of zone files which describe the detail of each zone BIND is sometimes run chrooted for increased security This gives the program a new root directory which means that the configuration files may not appear where you expect them to be To see if this is the case on your system run ps aux grep named This will give the command line that named the BIND server was invoked with If there is a t option then the path following that is the new root directory and your files will be located relative to that root In etc named conf look for a directory entry within the options section This will give the directory in which the zone files are stored possibly relative to a new root directory In the appropriate zone section a file entry will give the name of the file containing the zone details For more details of how to configure BIND servers and the DNS system in general see 6 A 2 Verifying the SRV record There are a range of tools available to investigate DNS records One commonly found on Microsoft Windows and UNIX platforms is nslookup Use this to verify that everything is working 79 TANDBERG Border Controller User Manual as expected nslookup querytype srv h3231s udp example com and check the output 80 TANDBERG Border Controller User Manual B Appendix Configuring LDAP Servers B 1 Microsoft Active Directory B 1 1 Prerequisites These comprehensive step by step instructions assume that Active
81. nd to the original destination for outgoing calls The following attributes are supported on location nodes Clear yes no Specifies whether to clear the current location set before adding the new location The default is to append this location to the end of the set url string The new location to be added to the location set The given string can specify a URL user domain com H 323 ID or an E 164 number 11 2 2 proxy On executing a proxy node the Border Controller will attempt to forward the call to the locations specified in the current location set If multiple entries are in the location set then they are treated as different aliases for the same destination and are all placed in the destination alias field If the current location set is empty the call will be forwarded to its original destination It is important to note that when a proxy node is executed script execution stops immediately i e there is currently no support for the proxy outputs busy noanswer etc 11 2 3 reject If a reject node is executed the Border Controller stops any further script processing and rejects the current call 43 TANDBERG Border Controller User Manual 11 3 Unsupported CPL Elements The Border Controller does not currently support the following elements that are described in the CPL RFC If an attempt is made to upload a script containing any of the following elements an error message will be generated and the Border Controller w
82. nds CPL policy Downspeeding Allow downs peeding at total bandwidth limit Allow downspeeding at per call bandwidth limit Local domain Domain name ENUM Allow ENUM resolution DNS Suffix 1 164 arpa DNS Suffix 2 DNS Suffix 3 DNS Suffix 4 HONVL DNS Suffix 5 Figure 19 Setting the ENUM Zone order flag preference service regex replacement IN NAPTR 10 100 u E2U h323 h323 recipient example com order 10 and preference 100 determine the order in which NAPTR records will be processed Lowest order first with lowest preference being processed first in the case of matching order flag u determines the interpretation of the other fields in this record Only the value u is supported service states that this record is intended to describe E 164 to URI conversion for H 323 Its value must be E2U h323 regex describes the conversion from the given E 164 number to an H 323 URI is a field separator The first part represents the entire E 164 number which is replaced with the second field recipient example com oo The last field of the NAPTR record replacement is not used and should be set to NOTE According to RFC 2915 NAPTR records may contain regex substitutions which are applied to the E 164 number to produce the H 323 URI This release of the Border Controller does not support this behaviour the NAPTR record is substituted for the E 164 number Once the DNS NAPTR for the
83. nected 55 TANDBERG Border Controller User Manual 14 1 3 externalmanager xstatus ExternalManager Returns information about the external manager The External Manager is the remote system such as the Tandberg Management System TMS used to manage the endpoints and network infrastructure Address IP address of the external manager Protocol Protocol used to communicate with the external manager URL URL used to communicate with the external manager 14 1 4 feedback xstatus Feedback xstatus Feedback n Returns all currently registered feedback expressions or the feedback expression at index n 14 1 5 IP xstatus IP Returns the active IP configuration of the system with IP address subnet mask and gateway If you have changed the IP configuration without rebooting xstatus IP will return the original settings currently in effect Address IP address SubnetMask IP subnet mask Gateway Default gateway DNS Server The DNS servers in use 14 1 6 LDAP xstatus LDAP Reports the status of any connection to an LDAP server 14 1 7 Links xstatus Links xstatus Links Link n Reports call and bandwidth information for all links on the system Name Name assigned to this link Calls A list of call indices for calls currently active on this link Bandwidth Total and per call bandwidth limits on this link together with bandwidth currently in use 56 TANDBERG Border Controller User Manual 14 1 8 NTP xstatus NT
84. nfigured through the web interface on the Border Controller Configuration Links page or through the command line using the following commands xConfiguration Links Link 1 100 Name xConfiguration Links Link 1 100 Node1 Name xConfiguration Links Link 1 100 Node2 Name xConfiguration Links Link 1 100 Pipe1 Name xConfiguration Links Link 1 100 Pipe2 Name Each subzone may be configured with its own bandwidth limits Calls placed between two endpoints in the same subzone consume resource from the subzone s allocation Subzone bandwidths are configured on the Border Controller Configuration SubZones page see Figure 6 for a screenshot of the configuration or using the following command line commands xConfiguration SubZones SubZone 1 100 Bandwidth Total Mode xConfiguration SubZones SubZone 1 100 Bandwidth Total Limit xConfiguration SubZones SubZone 1 100 Bandwidth PerCall Mode xConfiguration SubZones SubZone 1 100 Bandwidth PerCall Limit When calls are placed between endpoints in different subzones it is possible to control the bandwidth used on the link between them To do this create a pipe and configure it with the required bandwidth characteristics This pipe is then assigned to a link Calls traversing the link will now take the pipe s bandwidth allocation into consideration Pipes are created and configured on the Border Controller Configuration Pipes page Figure 10 or using the following command line c
85. ns handled by the Border Controller Registration entries are added to the Registration History on unregistration of H 323 entities Registration histories are listed in reverse chronological order of unregistration time 75 TANDBERG Border Controller User Manual 14 5 Feedback The feedback root command xfeedback is used to control notifications of Events and Status changes on the Border Controller A Feedback Expression describes an interesting event or change in status When a Feedback Expression is registered a notification will be displayed in the shell for each occurrence of the event described by that Expression Notifications will continue to be displayed for a given event until the Expression is deregistered To list all xfeedback commands type xfeedback To list all currently active feedback expressions type xfeedback list To register a feedback expression type xfeedback register lt expression gt To deregister the feedback expression with index ing type xfeedback deregister lt n gt To deregister all feedback expressions type xfeedback deregister 0 xfeedback Register Status lt Calls Registrations gt Registers for feedback on changes in the chosen Status e g xfeedback Register Status Calls To register for all Status changes use xfeedback Register Status xfeedback Register History lt Calls Registrations gt Registers for feedback on History e g xfeedback Register History Calls To register for all
86. o upgrade using HTTP S do the following e Point your browser at the IP address of the Border Controller You will be prompted for your user name and password e Enter admin as the user name and enter the password then press OK e Select the System Configuration tab and the upgrade section e Enter the release key and press Install Software You will get a new screen where you can upload the software image 2 El Overview amp System Status System Configuration IP SNMP Misc Upgrade Software Upgrade System Information Software Version N3 0 Hardware Serial Number 37400040 Installed Options 0 non traversal calls 0 traversal calls 0 registrations Installed Option Keys Software Option Add Option Key Add Option Enter the option key in the Key field and press Add Option The system will validate the key and if valid a restart will Add Option be requested for the new option to take effect Install Software Release Key Software Upgrade Enter the release key in the Key field and press Install Software You will be presented with a new page Install Software where you select the software package file to upload e Browse to the file containing the software and press Install You should see a page indicating that upload is in progress 52 TANDBERG Border Controller User Manual p i Overview System Status System Configuration IP SNMP Misc Upgrade Software upload in progress Softw
87. odically sent to the zone gatekeeper If it fails to respond that gatekeeper will be marked as inactive xconfiguration Zones Zone 1 100 Match 1 5 Mode lt AlwaysMatch PatternMatch Disabled gt The zone match mode determines when an LRQ will be sent to gatekeepers in the zone If the mode is set to AlwaysMatch the zone will always be queried If the mode is set to PatternMatch the zone will only be queried if the alias queried for matches the corresponding pattern If the mode is set to Disabled the zone will never be queried xconfiguration Zones Zone 1 100 Match 1 5 Pattern String lt pattern gt The pattern to be used when deciding whether or not to query a zone This is only used if the zone s match mode is set to AlwaysMatch xconfiguration Zones Zone 1 100 Match 1 5 Pattern Type lt Prefix Suffix gt Determines whether the pattern string being checked should appear at the beginning or end of an alias xconfiguration Zones Zone 1 100 Match 1 5 Pattern Behaviour lt Strip Leave gt Determines whether the matched pattern should be removed from the alias before an LRQ is sent to the indicated zone 69 TANDBERG Border Controller User Manual 14 3 Command The command root command xcommand is used to execute commands on the Border Controller To list all xcommands type xcommand To get usage information for a specific command type xcommand lt commandname gt 14 3 1 AllowListAdd xComm
88. oints H 350 2 Directory services architecture for H 235 An LDAP schema to represent H 235 ele ments The schemas can be downloaded in Idif format from the web interface on the Border Controller To do this navigate to the Border Controller Configuration Files page and click on the links for the schemas Copy the downloaded schemas to the OpenLDAP schema directory etc openldap schemas commobject 1dif etc openldap schemas h323identity ldif etc openldap schemas h235identity ldif Edit etc openldap slapd conf to add the new schemas You will need to add the following lines include etc openldap schemas commobject ldif include etc openldap schemas h323identity ldif include etc openldap schemas h235identity ldif The OpenLDAP daemon slapd must be restarted for the new schemas to take effect B 2 3 Adding H 350 objects Create the organizational hierarchy Create an Idif file with the following contents f This example creates a single organisational unit to contain the H 350 objects dn ou h350 dc my domain dc com objectClass organizationalUnit ou h350 Add the ldif file to the server using the command slapadd 1 lt ldif_file gt This organizational unit will form the BaseDN to which the Border Controller will issue searches In this example the BaseDN will be ou h350 dc my domain dc com NOTE It is good practice to keep the H 350 directory in its own organizational unit to separate out H 350 objects from
89. ommands xConfiguration Pipes Pipe 1 100 Name xConfiguration Pipes Pipe 1 100 Bandwidth Total Mode xConfiguration Pipes Pipe 1 100 Bandwidth Total Limit xConfiguration Pipes Pipe 1 100 Bandwidth PerCall Mode xConfiguration Pipes Pipe 1 100 Bandwidth PerCall Limit 20 TANDBERG Border Controller User Manual Overview amp System Status System Configuration Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials Files E Add New Pipe S Configuration Name Internet Connection i Total bandwidth mode Limited f Total bandwidth kbps 5000 e Per call bandwidth mode Limited f G Per call bandwidth kbps 1920 a 9 Save Cancel 5 Figure 10 Configuring a pipe Pipes may be shared between one or more links This is used to model the situation where a site communicates with several other sites over the same broadband connection to the Internet Each link may have up to two pipes associated with it This is useful for modeling two sites each with their own broadband connection to the Internet backbone Calls between zones or subzones consume bandwidth from each zone and any pipes on the link between them When a Border Controller is neighbored with another Gatekeeper or a Border Controller the neighbor is placed in its own zone This allows you to control the bandwidth used by calls to and from endpoints controlled by the other Ga
90. onfiguration If the policy is set to AllowList only those endpoints with an alias which matches an entry in the AllowList may register Conversely if the policy is set to DenyList all endpoints may register unless they match an entry on the DenyList Allow lists and Deny lists are mutually exclusive only one may be in use at any given time E Overview amp System Status System Configuration Y Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials Files Add New Pattern Configuration Pattern Save Cancel UO 1 p10g SYAGGNVL Figure 16 Configuring registration restrictions Matching uses a simple form of wild card expansion 12345678 Exact match only 1234567 First 7 characters are an exact match last may be anything 123 123 followed by anything example com Any string ending with example com To set entries in the Allow and Deny lists use the following commands AllowListAdd AllowListDelete DenyListAdd DenyListDelete To view the entries in the allow and deny lists use the following commands 26 TANDBERG Border Controller User Manual xConfiguration Gatekeeper Registration AllowList xConfiguration Gatekeeper Registration DenyList 6 2 Authentication The TANDBERG Border Controller can use a user name and password based challenge response scheme to permit registrations For details of how to configure your endpoint with the a
91. onfiguring down speeding options xConfiguration Gatekeeper Downspeed PerCall Mode lt On Off gt 21 TANDBERG Border Controller User Manual xConfiguration Gatekeeper Downspeed Total Mode lt On 0ff gt 22 TANDBERG Border Controller User Manual 5 1 Bandwidth Control and Firewall Traversal When a Border Controller and Gatekeeper are being used to traverse a firewall an additional zone and subzone come into use The traversal zone is used to represent the zone containing the Gatekeeper this Border Controller is paired with This zone is automatically added for you The traversal subzone represents the Border Controller itself The traversal subzone allows you to control total and per call bandwidths passing through the Border Controller Unlike other subzones no endpoints will ever be registered in this subzone 5 2 Bandwidth Control Examples One possible configuration for the deployment in Figure 8 is shown in Figure 12 Each of the offices is represented as a separate subzone with bandwidth configured according to local policy The enterprise s leased line connection to the Internet and the DSL connections to the remote offices are modelled as separate pipes Enterprise Home Pipe Pipe Default Home sub zone sub zone Branch Pipe Branch sub zone Figure 12 Bandwidth control example There are no firewalls involved in the scenario shown in figure 8 so we can configure links between each of the offices
92. other types of objects This allows access controls to be setup which only allow the Border Controller read access to the BaseDN and therefore limit access to other sections of the directory 83 TANDBERG Border Controller User Manual Add the H 350 objects Create an Idif file with the following contents MeetingRoomi endpoint dn commUniqueId commi ou h350 dc my domain dc com objectClass commObject objectClass h323Identity objectClass h235Identity commUniqueld commi h323Identityh323 ID MeetingRoom1 h323IdentitydialedDigits 626262 h235IdentityEndpointID meetingroomi h235IdentityPassword mypassword Add the ldif file to the server using the command slapadd 1 lt ldif_file gt This will add a single H 323 endpoint with an H 323 ld alias of MeetingRoom1 and an E 164 alias of 626262 The entry also has H 235 credentials of id meetingroom1 and password mypassword which are used during authentication B 2 4 Securing with TLS The connection to the LDAP server can be encrypted by enabling Transport Level Security TLS on the connection To do this you must create an X 509 certificate for the LDAP server to allow the Border Controller to verify the server s identity Once the certificate has been created you will need to install the following three files associated with the certificate onto the LDAP server e The certificate for the LDAP server e The private key for the LDAP server e The certificate of the Certifica
93. pes of new equipment put on the market in Europe after August 13th 2005 Please contact TANDBERG at recycling tandberg net and provide the following details for the product for which you would like to receive recycling information Model number of TANDBERG product Your company s name Contact name Address Telephone number E mail address Digital User Guides TANDBERG is pleased to announce that we have replaced the printed versions of our User Guides with a digital CD version Instead of a range of different user manuals there is now one CD which can be used with all TANDBERG products in a variety of languages The environmental benefits of this are significant The CDs are recyclable and the savings on paper are huge A simple web based search feature helps you directly access the information you need In addition the TANDBERG video systems now have an intuitive on screen help function which provides a range of useful features and tips The contents of the CD can still be printed locally whenever needed TANDBERG Border Controller User Manual Environmental Issues Thank you for buying a product which contributes to a reduction in pollution and thereby helps save the environment Our products reduce the need for travel and transport and thereby reduce pollution Our products have either none or few consumable parts chemicals toner gas paper Our products are low energy consuming products TANDBERG s Environmental Policy
94. ppropriate information please consult your endpoint manual The Border Controller supports the ITU H 235 1 specification for authenticating the identity of network devices with which theBorder Controller communicates In order to verify the identity of a device the Border Controller needs access to the password information This credential information may be stored in a local database on the Border Controller or obtained from an LDAP Directory Server 6 2 1 Authentication using a local database To configure the Border Controller to use the local database of credentials during authentication issue the following commands xConfiguration Authentication Mode On xConfiguration Authentication Database LocalDatabase Each credential in the local database has a username and a password To manage the credentials in the local database use the following commands xcommand CredentialAdd lt user name gt lt password gt xcommand CredentialDelete lt credential index gt To show the credentials in the local database use the command xConfiguration Authentication Credential The credential database can also be configured via the web interface on the Border Controller Configuration Credentials page Figure 17 E Overview amp System Status System Configuration Y Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials Files E Add New Authentication Credenti
95. r is shipped with Default Zone and Default and Traversal subzones already configured They are also preconfigured with the links between these zones to allow calls to be placed You may delete or amend the default links if you need to model restrictions of your network The default links may be restored by running the command xCommand DefaultLinksAdd 25 TANDBERG Border Controller User Manual 6 Registration Control The TANDBERG Border Controller can control which endpoints are allowed to register with it Two separate mechanisms are provided a simple Registration Restriction Policy and an authentication process based on user names and passwords It is possible to use both mechanisms at once authentication to verify an endpoint s identity from a corporate directory and registration restriction to control which of those authenticated endpoints may register with a particular Border Controller 6 1 Registration Restriction Policy When an endpoint registers with your Border Controller it presents a list of aliases By default registration restriction policy is set to None In this state any endpoint may register The registration restriction policy can be configured using the following command xConfiguration Gatekeeper Registration RestrictionPolicy None AllowList DenyList or by using the web interface on the Border Controller Configuration Restrictions page see Figure 16 for a screenshot of the Registration Restrictions C
96. r still has a registration from its old IP address The Border Controller may be configured to allow an endpoint to overwrite the old IP address with the command xConfiguration Gatekeeper Registration ConflictMode lt Overwrite Reject gt Consult the endpoint documentation for information on how to configure it with a Gatekeeper NOTE Only traversal enabled endpoints can register with a TANDBERG Border Controller All other registration requests will be rejected Traversal enabled endpoints include all TANDBERG Expressway endpoints and third party endpoints which support the ITU H 460 18 and H 460 19 standards NOTE When URI dialing is used to discover an endpoint the URI used is based on either the H 323 ID or the E 164 alias that the endpoint registered with The local domain is then added to this For more information on URI dialing see section 7 3 5 Neighbor Gatekeepers As you start deploying more than one Gatekeeper or Border Controller it is useful to neighbor the systems together so that they can exchange information about registered endpoints Each TANDBERG Border Controller User Manual Gatekeeper or Border Controller forms an H 323 zone and is responsible for the endpoints within that zone The simplest approach is to assign each endpoint a unique alias and divide the endpoint registrations between the Gatekeepers and Border Controllers Each Gatekeeper or Border Controller is then configured with the addresses of all other Gate
97. re recommended to maintain a backup of your Border Controller configuration Using the command line interface log on to the Border Controller as admin and type xConfiguration Save the resulting output to a file using cut and paste or some other means provided by your terminal emulator Pasting this information back in to the command line shell will restore your configuration 3 3 IP Configuration The Border Controller may be configured to use IPv4 IPv6 or both protocols If using both protocols the Border Controller will act as a gateway if necessary allowing calls to be made between an IPv4 only endpoint and an IPv6 only endpoint This behavior will use a traversal license for each call gatewayed between IPv4 and IPv6 IPv4 and IPv6 dual stack behavior is controlled by the command xConfiguration IPProtocol lt Both IPv4 IPv6 gt or using the web page System Configuration IP shown in figure 3 3 4 Registration Before an endpoint can use the Border Controller it must first register with it There are two ways an endpoint can register e Automatically e Manually by specifying the IP address of the Border Controller You can disable automatic registration on the Border Controller See auto discovery in section 14 2 for more information When registering the endpoint registers with one or more of the following e One or more H 323 IDs e One or more E 164 aliases Users of other registered endpoints can then call the endpoint
98. reates a new traversal zone allowing a TANDBERG Gatekeeper to connect to the Border Controller Up to 50 such zones may be created The new zone is pre configured with a link to the traversal subzone and with a pattern match mode of AlwaysMatch 74 TANDBERG Border Controller User Manual 14 3 28 TraversalZoneDelete xCommand TraversalZoneDelete lt index gt Removes the traversal zone with the specified index 14 3 29 ZoneAdd xCommand ZoneAdd lt name gt lt address gt Adds a new zone with the specified name and IP address E g xCommand ZoneAdd B 10 0 0 30 The zone is pre configured with a link to the traversal subzone and a pattern match mode of AlwaysMatch 14 3 30 ZoneDelete xCommand ZoneDelete lt index gt Removes the zone with the specified index 14 4 History The history root command xhistory is used to display historical data on the Border Controller To list all xhistory commands type xhistory To list all history data type xhistory To show a specific set of history data type xhistory lt name gt xhistory calls xhistory calls call lt n gt Displays history data for up to the last 255 calls handled by the Border Controller Call entries are added to the Call History on call completion Call histories are listed in reverse chronological order of completion time xhistory registrations xhistory registrations registration lt n gt Displays history data for up to the last 255 registratio
99. rise Gatekeeper The Border Controller will consume bandwidth from the Traversal Zone for all calls placed to endpoints managed by the Enterprise Gatekeeper In this example we have assumed that there is no bottleneck on the link between the Border Controller and the Enterprise network so have not placed a pipe on this link If you want to limit the amount of traffic flowing through your firewall you could provision a pipe on this link The traversal subzone in Figure 14 may be used to control the amount of traffic flowing through the Border Controller itself Because the Gatekeeper is only managing endpoints on the LAN its configuration is simpler as 24 TANDBERG Border Controller User Manual shown in Figure 15 Border Controller Default sub zone Traversal Zone Gatekeeper Traversal sub zone Figure 15 Gatekeeper example configuration All of the endpoints in the enterprise will be assigned to the default subzone The Traversal subzone controls traversal traffic flowing through the Gatekeeper whilst the Traversal Zone controls all traffic traversing the enterprise firewall and passing on to the Border Controller Both subzones and the Traversal zone are linked the link between the default subzone and the Traversal zone is used by endpoints which can send media directly to the Border Controller The other two links are used by endpoints using the Gatekeeper to traverse the firewall The Border Controlle
100. sabled by default In order to enable ENUM support on your Border Controller enter the command xConfiguration Gatekeeper ENUM Mode On You are provided by default with the global ENUM DNS zone e164 arpa If you wish to change this or add other DNS zones enter the command xConfiguration Gatekeeper ENUM DNSSuffix 1 5 lt zone_name gt The ENUM mode and zone may also be set using the web page Border Controller Configuration Gatekeeper shown in figure 19 If you have a number of Gatekeepers and Border Controllers neighbored together it is recom mended that ENUM support is enabled on only one of them If ENUM is enabled on more than one system call set up could become unpredictable 8 2 Configuring DNS NAPTR Records ENUM relies on the presence of NAPTR records as defined by RFC 2915 This is used to obtain an H 323 URI from the E 164 number The record format that the Border Controller supports is 33 TANDBERG Border Controller User Manual Overview amp System Status System Configuration Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials File Local prefix Call routed Auto discovery Calls to unknown IP addresses irect gt Allow calls from unregistered callers Fallback alias for unregistered caller destination Allow forwarding of location requests Allow DNS resolution Time to live seconds Call time to live seco
101. ssis you will see the Power LED being lit 2 6 Border Controller Initial Configuration The TANDBERG Border Controller requires some configuration before it can be used This must be done using a PC connected to the serial port Data 1 or by connecting to the system s default IP address 192 168 0 100 The IP address subnet mask and gateway must be configured before use The Border Controller has to be configured with a static IP address Consult your network administrator for information on which addresses to use To set the initial configuration do the following 1 N O Oo A O 9 Connect the supplied null modem RS 232 cable from Data 1 to a PC running a terminal program Start a terminal program and configure it to use the serial port with baud rate 115200 8 data bits no parity 1 stop bit no flow control Power on the unit if it is not already on You should see the unit display start up information After approximately 2 minutes you will get a login prompt Enter username admin and your password The default password is TANDBERG You will be prompted if you want to run the install wizard Type y and press Enter none login admin Password Run install wizard n y Specify the following a The password you want to use for your system See section 3 1 1 for account details b The IP address of the system c The IP subnet mask of the system d The IP default gateway of the syste
102. ssword gt Sets the password to be used when binding to the LDAP server xconfiguration LDAP Server Address lt IPAddr gt Sets the IP address of the LDAP server to be used when making LDAP queries xconfiguration LDAP Server Port lt 1 65534 gt Sets the IP port of the LDAP server to be used when making LDAP queries xconfiguration LDAP UserDN lt userdn gt Sets the user distinguished name to be used when binding to the LDAP server 14 28 Links xconfiguration Links Link 1 100 Name lt linkname gt Specifies the name of a link in the list of links xconfiguration Links Link 1 100 Node1 Name lt nodename gt Specifies the first node of a link Anode name may be either a Zone name or a SubZone name xconfiguration Links Link 1 100 Node2 Name lt nodename gt Specifies the second node of a link A node name may be either a Zone name or a SubZone name xconfiguration Links Link 1 100 Pipel Name lt pipename gt First pipe associated with a link xconfiguration Links Link 1 100 Pipe2 Name lt pipename gt Second pipe associated with a link 14 2 9 Log xConfiguration Log Level lt 1 3 gt Controls the granularity of event logging with 1 being the least verbose 3 the most 63 TANDBERG Border Controller User Manual 14 2 10 NTP xconfiguration NTP Address lt IPAddr gt Sets the IP address of the NTP server to be used when synchronizing system time Accurate timestamps play an important part in
103. te Authority CA that was used to sign the LDAP server s certificate All three files should be in PEM file format The LDAP server must be configured to use the certificate To do this edit etc openldap slapd conf and add the following three lines TLSCACertificateFile lt path to CA certificate gt TLSCertificateFile lt path to LDAP server certificate gt TLSCertificateKeyFile lt path to LDAP private key gt The OpenLDAP daemon slapd must be restarted for the TLS settings to take effect For more details on configuring OpenLDAP to use TLS consult the OpenLDAP Administrator s Guide To configure the Border Controller to use TLS on the connection to the LDAP server you must upload the CA s certificate as a trusted CA certificate To do this navigate to the Border Controller Configuration Files page and upload the certificate 84 TANDBERG Border Controller User Manual C Approvals The product has been approved by various international approval agencies among others CSA and Nemko According to their Follow Up Inspection Scheme these agencies also perform production inspections at a regular basis for all production of TANDBERG s equipment The test reports and certificates issued for the product show that the TANDBERG Border Controller Type number TTC2 02 complies with the following standards EMC Emission Radiated Electromagnetic Interference e EN55022 1994 A1 1995 A2 1997 Class A e FCC Rules a
104. tekeeper Sometimes you may place and receive calls to Gatekeepers you are not neighbored with See section 7 These Gatekeepers and any unregistered endpoints reached by dialing their IP address are placed in the Default Zone If bandwidth control is in use there are two possible behaviors when a call cannot be placed at the bandwidth requested By default the call will be connected at a reduced bandwidth down speeding assuming that there is some bandwidth still available Optionally the call may be rejected if it cannot be placed at the requested bandwidth This option is controlled through the web interface of the Border Controller by navigating to Border Controller Configuration Gatekeeper Figure 11 or through the following command line instructions Er Overview amp System Status System Configuration Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials File Local prefix m GE ee Call routed Tr Auto discovery jv Cals to unknown IP addresses Direct i Allow calls from unregistered callers F Fallback alias for unregistered caller destination Allow forwarding of location requests jv Allow DNS resolution 7 Time to live seconds hm Call time to live seconds fizo CPL policy jv Downspeeding Allow downs peeding at total bandwidth limit jv Allow downs peeding at per call bandwidth limit jo Figure 11 C
105. tem xconfiguration IP SubnetMask lt IPAddr gt The IPv4 subnet mask of the system xconfiguration IP Gateway lt IPAddr gt The IPv4 gateway of the system xconfiguration IP V6 Address lt IPAddr gt The IPv6 address of the system xconfiguration IP V6 Gateway lt IPAddr gt The IPv6 gateway of the system All the IP commands listed above require a system restart before they take effect xconfiguration IP DNS Server 1 5 Address lt IPAddr gt Sets the IP address of the DNS servers to be used when resolving domain names Normally only the first DNS server will be queried for address resolution If it fails to respond all DNS servers will be queried You must restart the system for changes to take effect xconfiguration IP DNS Domain Name lt name gt When attempting to resolve a domain name which is not fully qualified name will be appended to the domain name before the query to the DNS server is executed This parameter is only used when attempting to resolve server addresses such as LDAP servers NTP servers etc It plays no part in URI dialing see xconfiguration gatekeeper localdomain 62 TANDBERG Border Controller User Manual 14 2 7 LDAP Parameters under the LDAP node control the Border Controller s communication with an LDAP server xconfiguration LDAP Encryption lt Dff TLS gt Sets the encryption mode to be used on the connection to the LDAP server The default is Off xconfiguration LDAP Password lt pa
106. the software image using SCP The target name must be tmp tandberg image tar gz e g 53 TANDBERG Border Controller User Manual scp s42100q30 tar gz root010 47 8 247 tmp tandberg image tar gz e Enter password when prompted e Wait until the software has installed completely This should not take more than two minutes e Reboot the system After about four minutes the system will be ready to use 54 TANDBERG Border Controller User Manual 14 Command Reference This chapter lists the basic usage of each command The commands also support more advanced usage which is outside the scope of this document 14 1 Status The status root command xstatus returns status information from the Border Controller To list all status information type xstatus Status is reported hierarchically beneath the status root It is possible to reduce the amount of information returned by xstatus by specifying a more detailed status command To list all xstatus commands available at the root level type xstatus 14 1 1 calls xstatus Calls xstatus Calls Call n Returns a list of active calls on the system or information about a specific call 14 1 2 ethernet xstatus Ethernet xstatus Ethernet MacAddress xstatus Ethernet Speed Reports the currently active configuration of the Ethernet interface MacAddress The MAC address of the LAN 1 interface Speed The speed of the Ethernet link Reports Down if the link is down or not con
107. ts of third parties resulting from its use No license is granted under any patents or patent rights of TANDBERG ASA COPYRIGHT 2006 TANDBERG ASA TANDBERG Border Controller User Manual Environmental Issues Thank you for buying a product which contributes to a reduction in pollution and thereby helps save the environment Our products reduce the need for travel and transport and thereby reduce pollution Our products have either none or few consumable parts chemicals toner gas paper Our products are low energy consuming products TANDBERG s Environmental Policy Environmental stewardship is important to TANDBERG s culture As a global company with strong corporate values TANDBERG is committed to being an environmental leader and embracing technologies that help companies individuals and communities creatively address environmental challenges TANDBERG s environmental objectives are to Develop products that reduce energy consumption CO emissions and traffic congestion Provide products and services that improve quality of life for our customers Produce products that can be recycled or disposed of safely at the end of product life Comply with all relevant environmental legislation European Environmental Directives As a manufacturer of electrical and electronic equipment TANDBERG is responsible for compli ance with the requirements in the European Directives 2002 96 EC WEEE and 2002 95 EC ROHS The primary ai
108. tus near heat sources such as radiators heat registers stoves or other apparatus including amplifiers that produce heat e Do not place the product in direct sunlight or close to a surface directly heated by the sun Lightning e Never use this apparatus or connect disconnect communication cables or power cables during lightning storms TANDBERG Border Controller User Manual Dust Do not operate the apparatus in areas with high concentration of dust Vibration Do not operate the apparatus in areas with vibration or place it on an unstable surface Power connection and Hazardous voltage The product may have hazardous voltage inside Never attempt to open this product or any peripherals connected to the product where this action requires a tool This product should always be powered from an earthed power outlet Never connect attached power supply cord to other products In case any parts of the product has visual damage never attempt to connect mains power or any other power source before consulting service personnel The plug connecting the power cord to the product power supply serves as the main disconnect device for this equipment The power cord must always be easily accessible Route the power cord so as to avoid it being walked on or pinched by items placed upon or against it Pay particular attention to the plugs receptacles and the point where the cord exits from the apparatus Do not tug the power cord
109. ubZones DefaultSubZone 65 SubZone 66 TraversalSubZone 66 SystemUnit Name 67 Password 7 67 Telnet Mode 67 TimeZone Name 67 Traversal AssentEnabled 68 H46018Enabled 68 H46019Demultiplexing 68 Media 67 68 Preference 68 TCPProbe 67 UDPProbe 67 Zones TraversalZone 68 69 Zone 69 zones 10 xFeedback deregister 76 0 76 Register 39 Event 76 History 76 Status 76 xHistory calls 75 registrations 75 xStatus Calls 39 calls 70 Zone 89 zone 19 21 68 69 default 21 25 DNS 33 TANDBERG Border Controller User Manual H 323 10 traversal 17 18 23 25 74 93
110. uld create a new subzone for each pool of endpoints Subzones are added and configured through the web interface on the Border Controller Configu ration SubZones page Figure 9 or through the command line using the following commands xConfiguration SubZones SubZone 1 100 Name xConfiguration SubZones SubZone 1 100 Subnet IP Prefixlength xConfiguration SubZones SubZone 1 100 Subnet IP Address Subzones may be configured with links joining them to each other and to other zones These links are used to calculate how a call is routed over the network and so which zones and subzones are involved If multiple routes are possible your Border Controller will select the one with the fewest links 19 TANDBERG Border Controller User Manual E Overview amp System Status System Configuration Border Controller Configuration Gatekeeper Authentication Services Zones TraversalZones SubZones Links Pipes Restrictions Credentials File Add New SubZone Configuration Name j Subnet 1 Address Prefix Len Subnet 2 Address Prefix Len j 5 Subnet 3 Address Prefix Len o Subnet 4 Address Prefix Len Subnet 5 Address Prefix Len Total bandwidth mode w Total bandwidth kbps 50000 3 Per call inter bandwidth mode Unlimited v Q Per call inter bandwidth kbps 1920 Q Per call intra bandwidth mode Unlimited vi 2 Per call intra bandwidth kbps 1920 e D m Save Cancel Figure 9 Configuring a SubZone Links may be co
111. vers A 1 Microsoft DNS Server o A 2 Verifying the SRV record Lava o 000 e B Appendix Configuring LDAP Servers B T Microsoft Active Directory 0 ee npa pa B 2 OpenLDAP 4 p ara ede E ge eee GG dd ear RRA C Approvals D Technical Specifications E Glossary TANDBERG Border Controller User Manual TANDBERG Border Controller User Manual 1 TANDBERG Border Controller User Manual Introduction This User Manual is provided to help you make the best use of your TANDBERG Border Controller A Border Controller is a key component of TANDBERG s Expressway firewall traversal solution Used in conjunction with a TANDBERG Gatekeeper or TANDBERG traversal enabled endpoints it allows calls to be made into and out of a secured private network The main features of the TANDBERG Border Controller are IPv4 and IPv6 support Registration of traversal enabled endpoints Supports up to 500 registered TANDBERG traversal endpoints Secure firewall traversal of any firewall or NAT Up to 100 traversal calls Supports up to 100 neighboring zones Flexible zone configuration with prefix and suffix support URI and ENUM dialing with DNS enabling global connectivity Can function as a standalone Border Controller or be neighbored with other Border Con trollers and Gatekeepers Can be used to control the amount of bandwidth used both within the Border Controller zone and to
112. ws you to maintain a secure network behind the firewall unsolicited incoming data will not be accepted You are recommended to turn off any H 323 protocol support on the firewall these are not needed in conjunction with the Expressway solution and may interfere with its operation 4 3 1 Traversal Zones When you use a Gatekeeper to provide traversal on behalf of endpoints you will need to create a traversal zone on the Border Controller This zone may be configured to use either the Assent protocol the default or H 460 18 19 You can select the protocol to use with the command xConfiguration Zones TraversalZone 1 50 Mode lt Assent H46018 gt If you use Assent the Gatekeeper identifies itself to the Border Controller with its account name which may be set with the command 17 TANDBERG Border Controller User Manual xConfiguration Zones TraversalZone 1 50 AccountName or using the Gatekeeper s web interface on the Gatekeeper Configuration Traversal Zones page If you use H 460 18 19 as the protocol there is no account name With either protocol you may also provide a descriptive zone name This is only used for display purposes You will need to create a corresponding Traversal Zone on the Border Controller If you select Assent as the traversal protocol you must supply the account name that the Gatekeeper will use If you use H 460 18 19 as the traversal protocol you should instead provide the publically perceived IP
113. xConfiguration DNS Server Address dns_server_ip_address e Enable URI dialing on the Border Controller xConfiguration Gatekeeper DNSResolution Mode On e Ensure that URI dialing is disabled on the Gatekeeper This is because you wish calls to be routed from the private network to the Border Controller in order to traverse the firewall xConfiguration URI Dialing Mode Off In order to be able to receive calls placed to example com using URI dialing configure the following 35 TANDBERG Border Controller User Manual e Set example com as the domain name you are using on both the Gatekeeper and Border Controller e Update the DNS entry for example com with an A record representing the Border Controller and an SRV record which returns the Border Controller s A record as described in section 7 3 9 2 Enterprise Gatekeepers When an enterprise has already deployed a Gatekeeper to manage calls within the private network it may be desirable to deploy a traversal solution without having to alter the existing deployment In order to achieve this the TANDBERG Gatekeeper is neighbored with the existing enterprise Gatekeeper as shown in Figure 21 The Enterprise Gatekeeper is also neighbored with the TANDBERG Gatekeeper Enterprise A Bard Neighbori oraer eae N Controller Gatekeeper Gatekeeper Sy Bil GEnterpriseA Figure 21 Neighboring with an enterprise gatekeeper The TANDBERG Gatekeeper and Border Controller are configure
114. you may want a neighbor to place the call on behalf of the Border Controller You can configure this on the Border Controller using the command xConfiguration Gatekeeper CallsToUnknownIPAddresses lt Off Indirect Direct gt or using the web page Border Controller Configuration Gatekeeper shown in figure 7 There are three possible settings 15 TANDBERG Border Controller User Manual Direct this setting will allow the endpoint to make the call to the unknown IP address without querying any neighbors The call setup would occur just as it would if the far end were registered directly to the local system Indirect upon receiving the call the Border Controller will query its neighbors for the remote address relying on the response from the neighbor to allow the ability for the call to be completed connecting through the routing rules as it would through the neighbor relationship Off this will not allow any endpoint registered directly to the Border Controller to call an IP address of any system not also registered directly to that Border Controller See section 4 for further detail The default is Indirect When the Border Controller is used with a Gatekeeper for firewall traversal you will typically set CallsToUnknownIPAddresses to Indirect on the Gatekeeper and Direct on the Border Controller This will allow calls originating inside the firewall to use the Gatekeeper and Border Controller to successfully traverse the firewall T
Download Pdf Manuals
Related Search