Shoretel - SIP trunk problems and Ingate solutions
Download
Report
Transcript Shoretel - SIP trunk problems and Ingate solutions
SIP trunk Problems & Solutions
ShoreTel & INGATE Siparator
Jerome Joanny
Sr Product Manager - ShoreTel
Enterprise Pure IP
Telephony Solutions
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
SIP Trunk - What are the advantages?
• Lower recurring costs from the carrier
• Flexible calling plans – bundled minutes, no long distance
charges
• More feature offering – virtual numbers
• Deployment flexibility
– Incremental provisioning vs. block provisioning
– Self serve portals – buy services without meeting your rep
– Quicker increments – no waiting for a truck roll
• Dual use of data pipe, voice and data
Calls
Data
Company A
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
IP Cloud
SIP trunking problems
•
NAT traversal for SIP
–
–
•
Network & SIP Communication security
–
–
•
NAT resides at L3/L4 – SIP at L7
NAT processing “breaks” SIP addressing
Physical medium is the IP pipe
Firewalls control what goes in or out such pipe
SIP Protocol Normalization & translation
–
–
Not all SIP are created equal … and compatible
Open Standard …open to interpretations
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
The ‘NAT’ and SIP Story
•
•
The Details of port and private IP address are encapsulated
in the SIP header message
Application Layer messages contain information that isn’t
relevant outside of the enterprise network
SIP Header
Invite From: 192.168.1.
To: 65.73.1.34:5060
SIP Header
Invite From: 192.168.1.
To: 65.73.1.34:5060
IP 192.168.1.55
?
Public IP
65.73.1.34
Client B
Client A
Public IP
64.72.1.31
Public IP
66.63.1.23
Client Y
IP 192.168.1.57
Company A
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
Network & SIP security issues
• SIP trunks use IP infrastructure
• IP networks are ‘protected domains’ connected by untrusted
‘public’ connections.
• Reliable method is required that allows communication
between domains protected by Firewalls
Carrier SIP
Trunk Cloud
Firewall
Ouch!
Company A
Firewall
Ouch!
Firewalls block the prime
function of a trunk – Allow
systems from different
enterprises connect
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
Company B
The SIP Normalization situation
Sure! I will transfer
you to Jane
John
Hi John !
May I speak
with Jane ?
‘REFER’ to Jane
Bob
972-678-0464
603-883-6569
ShoreTel
ALG
Call-ID: X
Service
Provider
Call-ID: X
?
REFER?
603-883-6580@
PSTN
Gwy
shoretel.com
What's that?
IP 168.203.30.11
(Jane)
Jane
603-883-6580
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
PSTN
ShoreTel & Ingate : delivering a solution that Works !
• Solve SIP firewall and NAT traversal issues with a consistent
solution
– NAT traversal problems are the source of 90% initial setup issues
• Ensure customers can keep total ownership of network security
when SIP is introduced
• Provide SIP normalization if/when required
• Provide partners and customers validated ‘end to end’
multi-vendor solutions in the SIP ‘plug and pray’ era
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
INGATE Siparator addressing the NAT issue
603-883-6569
Firewall
To:972-678-0464@ IP 168.105.45.19
From: 603-883-6569 @10.200.10.16
ShoreTel
IP 10.200.10.16
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
Service
Provider
PSTN
PSTN Gwy
For calls to route
successfully internal IP
addresses have to be
re-written
The SBC handles the
Network Address
Translation (NAT)
972-678-0464
IP 168.203.30.11
Address re-write
168.203.30.11
To/URI:972-678-0464@ IPIP168.105.45.19
IP 168.105.45.19
From: 603-883-6569
@10.200.10.16
[email protected]
ITSPs can’t reach the IPBX in the LAN
Service Provider can only
address the known public IPaddress of the Enterprise
603-883-6569
ShoreTel
From:972-678-0464@ IP 168.203.30.11
To:[email protected]
Service
Provider
IP 10.200.10.16
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
PSTN
PSTN Gwy
For calls to route
successfully IP addresses
have to be re-written
The SBC again handles the
Network Address Translation
(NAT)
972-678-0464
Firewall
IP 168.203.30.11
Address re-write
To/URI:[email protected]
IP 10.200.10.16
IP 168.105.45.19
No
Replace
the Existing
HowNeed
doestothe
Siparator
help? Firewall!
Normal Firewalls
Siparator
DMZ
SIP
SIP-enables any firewall
It works with existing firewalls
Dynamically manages ports need for SIP:
-SIP Signaling port 5060
-Range of UDP/TCP ports
Provides a B2BUA & SIP Proxy
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
The ITSP SIP transfer problem
B2BUA handles the “REFER” SIP
method locally and a new media
stream is set up to Jane
Sure! I will transfer
you to Jane
John
603-883-6569
ShoreTel
Hi John !
May I speak
with Jane ?
ITSP sees a RE-INVITE with the
same Call ID
REFER to Jane
972-678-0464
ALG
Call-ID: X
Service
Provider
Call-ID: X
Call-ID: Y
?
PSTN Gwy
IP 168.203.30.11
DMZ
Re-INVITE
Jane
603-883-6580
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
Bob
SBC with B2BUA
*) The REFER SIP method
PSTN
ShoreTel’s philosophy on integration
• Provide partners and customers with validated ‘end to end’
multi-vendor solutions in the SIP ‘plug and pray’ era
– Making it all work together can be as complex as solving a third order
differential equation
– Allow partners to work with ‘known entities’
• Solve SIP firewall and NAT traversal issues with a consistent
solution
– Allow support to be clear on the components of the solution and
isolate problems easily
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
Summary
• SIP trunking works
• The ‘solution’ is about more than just
connectivity
• There are many flavors of SIP out there
– Be sure you only use those validated
as working together
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
Backup
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
SIP Trunks Misconceptions
• They must be the same as it says ‘trunk’
• They are IP so they require less HW
• They are cheaper – really? – Depends on what your counting
• You can just connect directly – Security? – What’s that?
Call 408 348 8545
SIP Trunk
Carrier SIP Trunk Cloud
15
Company A
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
Template page
• Single image system with best in
class
Carrier SIP
Trunk Cloud
Company B
Company A
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED
16
•
Each device has its own private IP address.
IP 192.168.1.55
IP 192.168.1.1
Client A
From: 64.72.1.31:2000
To: 65.73.1.33:80
Public IP
65.73.1.33
Client B
Public IP
64.72.1.31
Public IP
66.63.1.23
Client Y
Client X
IP 192.168.1.56
IP 192.168.1.57
Company A
ShoreTel CONFIDENTIAL
(c) ShoreTel, Inc. 2007 -- ALL RIGHTS RESERVED