Configuring Sonus SBC 1000/2000 with Microsoft Office 365 Application Notes Last Updated April 16, 2013
Contents Sonus SBC 1000/2000 Session Border Controller Configuration Notes ....................................................... 2 Configuration Checklist ................................................................................................................................. 2 Step 1: Configure Office 365 UM to work with an SBC ................................................................................. 2 Step 2: Set Up and Connect the SBC ............................................................................................................. 2 Step 3: Do the initial configuration on the SBC ............................................................................................ 3 Step 4: Set SBC options to work with Office 365 UM ................................................................................... 3 Create a Media Crypto Profile .................................................................................................................. 3 Create a Media List ................................................................................................................................... 4 Create a TLS Profile ................................................................................................................................... 5 Create SIP Server Tables ........................................................................................................................... 6 Create a SIP Profile or modify Default SIP Profile ..................................................................................... 7 Create a Public IP Interface ....................................................................................................................... 8 Modify IP Static Route ............................................................................................................................ 10 Create Transformation Tables ................................................................................................................ 11 Create Route Tables ................................................................................................................................ 12 Create Signaling Groups .......................................................................................................................... 13 Modify Route Tables ............................................................................................................................... 15 Generate Certificate Request ................................................................................................................. 16 Import Root Certificates ......................................................................................................................... 16 Import Signed SBC Certificate ................................................................................................................. 17
Before you Begin To complete this checklist, you will need the following software and hardware: From Sonus:
Sonus SBC 1000/2000 2.2.1 (or later) – Before ordering, determine the capacity (the maximum number of concurrent calls) required by your organization, and then specify the required capacity when ordering. For assistance in determining required capacity, see Plan for UM.
From Microsoft
Office 365 for Enterprises, with a service plan that includes UM.
Configuration Checklist
You will need to complete the following steps in order to configure a Sonus SBC 1000/2000 session border controller (SBC) and Office 365 UM to work together. You need to configure DNS and UM first, and then configure the SBC to route traffic to and from Office 365 UM. 1. Configure Office 365 Unified Messaging to work with a Session Border Controller 2. Set Up and Connect the SBC 3. Do Initial Configuration on the SBC 4. Set SBC Options to work with Office 365 UM
Step 1: Configure Office 365 UM to work with an SBC Detailed information for this step is available here: Configuration Checklist: Configure Office 365 Unified Messaging to work with a Session Border Controller.
Step 2: Set Up and Connect the SBC The SBC has an internal network interface and an external network interface. The internal network interface must be connected to a network which is also connected to the IP PBX or VoIP gateway that provides telephony support for Exchange UM. Refer the Telephony Advisor for Exchange 2010 for a list of supported IP PBXs and VoIP gateways. In what follows, it is assumed that VoIP communications on the internal interface are not secured (i.e. SIP/TCP is used for signaling, RTP/UDP is used for media). If you require these communications to be secured, please refer to the Sonus product documentation. The external network interface must be connected to the public IP network (Internet), and through that to Office 365 UM. 2
Signaling and media must be secured for communication on the external network interface. This document describes how to configure the use of SIP/TLS and SRTP for this purpose.
Step 3: Do the initial configuration on the SBC Even though Office 365 UM is not acting as a telephony provider (dial tone is provided by your PBX or IP‐ PBX), there are configuration options that you need to set for your SBC to work with Office 365 UM. The initial installation/configuration of the Sonus SBC 1000/2000 can be found here.
Step 4: Set SBC options to work with Office 365 UM The following configuration examples provide the minimum information to complete a connection from an IPpbx to Office 365. The user of this guide must be familiar with the configuration concepts of the Sonus SBC 1000/2000 series. The order of these configuration steps are so that the moving between configuration sections will be kept to a minimum. There are sections that will have to be repeated due to dependencies that cannot be completed until other steps. In most examples below only the changes from default will be described.
Create a Media Crypto Profile The Media Crypto Profile configures the various options required for SRTP between the SBC and Office 365.
3
Description: Provide a unique name for this Media Crypto Profile Operation Option: Required Crypto Suite: AES_CM_128_HMAC_SHA1_32 Key Identifier Length: 4
Create a Media List The Media List will be called out later in the Signaling Group Configuration. This is the Media List specific for Office 365.
4
Description: Provide a unique name for this Media List Media Profile List: Ensure either G711A or G711u or both are added depending on the media expected from the IPpbx Crypto Profile ID: Select the Media Crypto Profile configured above for Office 365
Create a TLS Profile The TLS Profile sets options for the TLS connection between Office 365 and the SBC. In most cases as described above TLS will not be used between the IPpbx and the SBC. If it will be required then the specific options will have to be provided from the IPpbx vendor. 5
Description: Provide a unique name for this TLS Profile Client Cipher: Select AES128‐SHA,DES‐CBC3‐SHA Fallback Compatible Mode: Enabled Mutual Authentication: Enabled
Create SIP Server Tables SIP Server tables provide the unique settings specific to each SIP enpoint the SBC will communicate with. This examples shows the setting for Office 365. The IPpbx settings will have to match the IPpbx being used and is different between different vendors.
6
Host: Copy and paste the FQDN provided by the Office 365 configuration. This will be a long FQDN that is unique to each customer’s configuration. Port: 5061 Protocol: TLS TLS Profile: Select the TLS profile configured previously for Office 365
Create a SIP Profile or modify Default SIP Profile In most cases the default SIP Profile can be modified. There might be settings that will not work with the IPpbx and another SIP Profile will have to be created and called out in the Signaling Group for the IPpbx. The SIP Profile shown works with Office 365.
7
FQDN in From Header: Server FQDN
Create a Public IP Interface The SBC provides an interface between the customer’s public and private IP networks. The private IP interface was configured in the initial configuration of the SBC. Physical Port
8
Select an unused Physical Ethernet port to be used for the public IP interface
9
Admin State: Enabled Logical Interface Select the corresponding Logical Interface
Admin State: Enabled Primary Address: Enter the Public IP Address for the SBC Primary Netmask: Enter the Netmask for the Public IP Address above
Modify IP Static Route The IP Static Route will have to be modified so that the SBC will be able to use the right Ethernet port for public connections. Additional IP Static Routes may be required if the private IP address is not on the same IP network as the IPpbx and/or other IP hosts such as management devices.
10
Gateway: The IP Default Gateway on the Public Static Route
Create Transformation Tables Transformation tables are used to modify number formats such as stripping the 4 digit extension from a E.164 number format.
11
Description: Provide a unique name for this Transformation Table Entry Type: For both Input Field and Output Field type ensure ‘Called Address/Number’ is showing in the applicable dropdown window Input Field Value: (.*) Output Field Value: \1 The above Input Field Value and Output Field Value entry will pass through the complete called number from the input SIP Signaling Group to the output SIP Signaling Group without change.
Create Route Tables
12
Enter a Route Table for the calls from Office 365 to route to the IPpbx and a Route Table for calls to route to Office 365 from the IPpbx. Leave the Route Tables blank at this time due dependencies not yet configured for Signaling Groups
Create Signaling Groups
13
Call Routing Table: Ensure the applicable Call Routing Table is selected in the dropdown window No. of Channels: Enter the max number of channels that could be in use at one time SIP Profile: Ensure the applicable SIP Profile is selected in the dropdown window SIP Server Table: Ensure the applicable SIP Server table is selected in the dropdown window Media List ID: Ensure the applicable Media List ID is selected in the dropdown window Listen Ports: Add the port and protocol the SBC should be listening for connections from the IPpbx or the Office 365 Server Federated IP/FQDN: Enter the IP address or the FQDN of the SIP Peer, either the IPpbx or the Office 365 Server 14
Modify Route Tables Once the Signal Groups are created the Routing Tables will need to be modified with the proper routing information.
Description: Provide a unique name for this Routing Table Number/Name Transformation Table: Select from the dropdown window the applicable Transformation Table entry 15
Destination Signaling Groups: Select ‘Add’ to enter the proper Signaling Group this Routing Table should send calls to
Generate Certificate Request TLS is required for Office 365 connections. The Certificate request will have to be signed by a public trusted Certificate Authority.
Common Name: Enter the Fully Qualified Domain Name (FQDN) of the SBC Key Length: Ensure ‘2048’ is selected in the dropdown window
Import Root Certificates The Root and Intermediate Certificates for the public signing Certificate Authority needs to be added to the SBC Trusted CA Certificate Table. These certificates will be checked to ensure the validity of the TLS connection.
16
a. Click on the Icon with the red arrow pointing up b. Select either ‘Copy and Paste’ or ‘File Upload’ from the Import Dialog c. Copy and Paste the Trusted Certificate if in text format or select the appropriate Trusted Certificate in file mode
Import Signed SBC Certificate Once the SBC Certificate is signed by the public Trusted Certificate Authority it is imported as a Trusted Certificate.
a. Click on the Green Plus Icon b. Select either ‘Copy and Paste’ or ‘File Upload’ from the Import Dialog c. Copy and Paste the Trusted Certificate if in text format or select the appropriate Trusted Certificate in file mode 17
