Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address 10

Status
Not open for further replies.

dsm600rr

IS-IT--Management
Nov 17, 2015
1,444
US
Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:

1_xm3swl.jpg


I have not moved any further in the document as of now.

Thank you.

ACSS
 
derfloh: Corrrect, not even sure what a "SIP FQDN" is or how to "Set up". Is it in the documentation? I do not see it.

Also, SSA was showing this:

2_tzoipl.jpg


ACSS
 
derfloh: I currently have the IPO LAN 2 SIP Registrar FQDN with the IP Address of itself.

The WAN is currently acting as the DHCP server for my J179's as well as where the SIP Trunk comes in.

The LAN is on our internal data network for One-X / Local PC Access to PBX

5_p8ccsw.jpg


ACSS
 
derfloh: 5 years and aced my ACSS Exam, so I have some experience with the IPO. I am the only Avaya guy in my company so knowing everything is pretty much impossible haha.

The whole point would be to connect external (remote workers) - Currently using Communicator.

ACSS
 
derfloh: I am aware that an internal IP Address will not work.

When I was at Jenne for ACSS and we were doing exercises on the J100's, they had the SIP Registrar FQDN set to the IPO LAN IP Address, so I just assumed that was required for the J100's?

Guessing that was there for other reasons and all lab work was internal.

ACSS
 
The certificate warning is probably the connection to Zang, you need to import the certificate from Zangs webpage to IP Office if you want user zync to work, dunno why this isn't mentioned or why it isn't trusted as default.

"Trying is the first step to failure..." - Homer
 
janni78: Appreciate the info. Where can the certificate be downloaded from when logged into Zang? What is the process to upload the certificates to the IPO?

Clearly I have not yet dealt with Certificates or FQDN :)

How can you confirm what is actually connected and working? I am assuming I need to get this "public resolvable FQDN and a SIP domain" figured out before anything will work? Is this what connects the IPO to "Spaces" and then "IX"? What is "Zang" doing exactly?

Also not sure what to do here: "you need a valid certificate and a root CA trusted by the clients"

Definitely new to all this remote worker stuff. Previously we always just deployed VPN Phones.

ACSS
 
Open https:/accounts.zang.io with chrome, klick on the padlock, sho the certificate and download the issuing certificates GTA and Google.
cert_eww0r4.png

Then upload the certificate to IP Office in security settings - trusted root certificate authorities.

As soon as you configured Zang user sync you IPO users will be visible in your Zang domain if you enable this. And Zang will automaticall know the URL of your 46xxettings.txt.

The IX Workplace clients connects to Zang, you will enter youe eMail address, Zang will know your domain, Zang will inform the client about the settings file URL. You have to just enter username and password afterwards.

You can also avoid Zang and just enter the settings file URL in the client app.

As soon as you use TLS encryption (and that's strongly recommended!) IP Office will need a server certificate, that matches the DNS name and SIP Domain the client connects to and the client has to trust the issuing CA of that certificate.

Even if without ASBCE this document gives good hints:
If it's completely new, I recommend to ask someone to help you.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN
 
derfloh: I definitely appreciate the detailed post. You clearly have been doing this a long time.

I am asking for some help/guidance here as the most knowledgeable people are here :) Star for you.

Anyway, one thing at a time. Back to the certificates. Which format does the IPO Need?

Cer_e13d7h.jpg


ACSS
 
I usually pick Base-64, both .cer formats probably work.

"Trying is the first step to failure..." - Homer
 
janni78: Thank you. Is the file name important?

Name_tbfvjz.jpg


ACSS
 
Hello all,

So I have made some progress just messing around with things

In the office (local LAN), I have everything configured where I just enter in my email address, extension and password and the app pre-configures and allows me to log in and take calls.

Workplace_f3rcgg.jpg


I have a subdomain created: ix.our_domain.com A record that is pointed to the Public IP Address of our firewall.

Using dnschecker.org I can see that the subdomain is resolvable to the public IP Address of our Firewall.

I will then Have my Firewall guy forward the specific ports and hosts listed in the document to the IPO?

Ports_xqreos.jpg


Hosts_vkxkpf.jpg


At that point should the Workplace App work from anywhere outside of the LAN?

If so, great. The next step I believe should be the TLS Encryption, however I have never really messed with Certificates within the IPO. Is only a TLC Cert needed for the IPO. Is this manually created? Suggestions here would be great.

Thank you!

ACSS
 
Here's the step needed to make this cert work:

If you use the IPO as the certificate authority, then you need to download the IPO root CA and install it into your computer.

Then you need to create an identity certificate for the IPO itself.

Subject Name: hostname.domain.com (example iposrv.mycompany.com)
Subject Alternative Name: DNS:mycompany.com, DNS:iposrv.mycompany.com, IP:192.168.42.1 (internal IP of your IPO), IP:172.45.15.26 (external IP), URI:sip:mycompany.com

Make sure that you have a SIP domain and SIP FQDN configured in Manager under System/LAN1/Voip. The SIP FQDN must be the same you use in the certificate (obviously). I personnaly use the hostname of the IPO for the SIP FQDN like I showed above. This FQDN must be resolvable by DNS! In your internal DNS server, the A record for, say. iposrv.mycompany.com must point to the internal IP of your IPO. You'll also need to do the same thing on your external DNS server so that iposrv.mycompany.com is resolvable from the internet as well. This is what's called split-dns.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top