Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address 10

[dsm600rr]

Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"

https://files.engineering.com/getfi...-b94e-c42db992ca0e&file=sip_extensions_en.pdf

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:

I have not moved any further in the document as of now.

Thank you.

ACSS

 

[Sparrow4]

Thanks @JazzWizzard. Much appreciated. I'll push it during my off business hours.

 

[Sparrow4]

Thanks @JazzWizzard, it doesn't seem that it made a difference. @dsm600rr nothing new on my end sorry. I'm going to see if I can create the new certs that should work with TLS. Have a great weekend.

 

[Sparrow4]

Sorry no luck on my side @dsm600r. I enabled TLS not sure what's missing.

 

[Pepp77]

Im gonna post a lot of stuff here, this is all in house guides I have written so my less experienced colleagues can get an idea on what is required for all these addons.

Equinox on IP500

There are 3 things that need to be configured for Equinox to work on an IPO



1. Certificate

2. Firewall

3. IPO



Certificate

For Equinox to operate via a TLS connection we need to assign a certificate to the system. This will usually be a SAN certificate and will need one entry for each site the customer has, plus one generic entry.

1. Site1.company.com

2. Site2.company.com

3. Site3.company.com

4. Company.com



In the above example the first three entries are the FQDNs used for the individual sites and the 4th entry is the generic Domain used across all the sites. Adding the licences to the system is the same as on our standard hosted systems.

Also please remember you will need to get the customer to setup DNS records so that externally the FQDNs resolve to the assigned public IP address for each site, and internally to the IP address of the IPO itself.



Firewall

The following ports will need to be NAT'd/Allowed through any firewall.

TCP - 443

UDP - 40750 - 50750 (this may be different depending on the NAT RTP ports set on the IPO VoIP tab)

TCP - 6060 - 6061



IPO

System->System

Ensure Use Preferred Phone Ports is unticked



System->LAN->Network Topology

STUN Server Address – Blank Out

Firewall/NAT Type – Set to Unknown

Binding Refresh Time (seconds) – Set to 60

Public IP Address – Set to Assigned Public IP

Public Port UDP – Set to 5060

Public Port TCP – Set to 5060

Public Port TLS – Set to 5061



System->LAN->VoIP

SIP Remote Extn Enable - Activate

SIP Domain Name – Set to company.com

SIP Register FQDN – Set to site.company.com

TLS Port – Activate and Set to 6061

Remote (UDP Port) – Set to 6060

Remote (TCP Port) – Set to 6060

Remote (TLS Port) – Set to 6061

Port Number Range (NAT) – Amend to 40750-50750



Certificate Part 2

Log in to the security settings page of the IPO and apply both the intermediate certs and the pfx to the system.

Go to

https://site.company.com

Click on the padlock and download the certificate as a .cer

Save the certificate as WebRootCA.cer

At this point you need to amend the WebRootCA.cer to a WebRoot.pem

This can be done using an openssl session in Windows.

Run the session and ensure the downloaded certificate is in the folder highlighted on the openssl prompt.

Then enter the following command

openssl x509 -inform der -in WebRootCA.cer - out WebRootCA.pem

The file will be in the same location as the downloaded certificate.

Once you have the WebRootCA.pem file, log into the Embedded File Manager of the IPO and copy this file to the Primary folder.


We also came up with a lot of little workarounds to make live easier these include the following

R11 Changes - Required for Equinox and J Series Handsets


Go to

https://client.voice.pinnacle.cloud:7071

Login

Go to Settings-->General

Scroll Down to Certificates

Click on Download (PEM-encoded)

Save this file locally.



Rename the file to WebRootCA.pem



Open putty

Connect to client.voice.pinnacle.cloud on port 22

Login with Administrator.



Type cd .. until at the top directory

Type cd /opt/ipoffice/system and hit enter

Type sudo chmod -R 777 primary and hit enter





Open WinSCP

Connect to client.voice.pinnacle.cloud on port 22

Login as Administrator

Navigate to opt/ipoffice/system/primary

Copy the newly renamed certificate into this directory.



Go to

https://client.voice.pinnacle.cloud/46xxspecials.txt

Copy and paste the text into notepad

Find the following line

# J1X9SPECIALS

and then enter the following in the line below


SET TLSSRVRID 0

Save as 46xxspecials.txt



Open WinSCP

Connect to client.voice.pinnacle.cloud on port 22

Login as Administrator

Navigate to opt/ipoffice/system/primary

Copy the newly saved file into this directory.



Adding the SSL Certificate to the Server Edition
Download the certificate file from ConnectWise in Companies>Pinn>Configurations>*.voice.pinn.cloud>Documents
Extract the Zip file to a location on your PC. There will be 5 files.
Log in to the Server Edition with IP Office Manager and switch to Security Settings
Navigate to System>Certificates.
Under Trusted Certificate Store, Click "Add" and browse to the location where you unzipped the files earlier. Select the Intermediate.cer file
Under Identity Certificate, ensure that Offer ID Certificate Chain checkbox is ticked and then click "Set".
Check "Import certificate from file" and click "OK" and browse to the location where you unzipped the files earlier.
Next to the Filename, click the dropdown and select "Personal Information Exchange (*.pfx) and select the voice.pinn.cloud.pfx file and click "Open"
Enter the password
Click "OK" in the Security Settings and then Save. This will restart all the IP Office services.
After waiting a couple of minutes browse to

https://{clientname}.voice.pinn.cloud:7070

and ensure that your browser shows the green padlock.

| ACSS SME |

 

[Sparrow4]

@Pepp77..... Dude that looks good. I'll try it over the weekend. Thanks a lot!

 

[dsm600rr]

Pepp77:

When I get to your step of:

Go to

https://site.company.com

Click on the padlock and download the certificate as a .cer
Save the certificate as WebRootCA.cer

I have two certificates that show up:

No option to download as a .cer, only .pem

Why not just go to

http://192.168.42.1/WebRootCA.pem

and download that file?

ACSS

 

[Pepp77]

Because we are taking the ssl cert and amending it so the Avaya uses it instead of its built in one. Doing that uses the built in one.

| ACSS SME |

 

[Sparrow4]

Hi hope that all is well. @dsm600rr and Pepp77.
I can’t reach

https://site.company.com.

I can only use http. Thoughts?

 

[dsm600rr]

I think I am making some progress.

Internally, if I go to my FQDN, It hits my PBX.

Externally, if I go to my FQDN, it hits my firewall:

So I sent my firewall guy the ports that need to be opened from the document:

Now he stated that he had to do some port forwarding as there were issues with ports 443 and 80

Now when I go to my FQDN externally the page times out. My firewall guy says he sees the firewall forwarding to the PBX and it is not responding.

Should I be hitting the Web Manager from outside my network with the FQDN or is that by design that it does not show the Web Manager Externally?

If I do a nslookup to my FQDN Internally, it resolves to the IPO

Externally it resolves to my firewall.

ACSS

 

[dsm600rr]

Sparrow4: Have you set up Split DNS? Internal DSN Server from:

https://site.company.com

to your PBX?

ACSS

 

[Sparrow4]

My external fqdn is timing out as well. Works great internally and on VPN. I'll look into that port forwarding. Also I don't know if it's by design but from what I understand, we have to access the

http://mycompany.com/46xxsettings.txt

and FQDN internally and externally.

 

[Sparrow4]

I don't remember setting up split DNS. I'll look into that as well.

 

[Sparrow4]

Sorry for the radio silence guys. @dsm600rr, Pepp77 is right. So I fixed most of my firewall issues. I'm able to have it to work inside, outside of my network without VPN. The problem that I have now is that, it won't work with the FQDN like before for some reason. I can only use my Private an public IP to register the clients. I'm getting an error message with the FQDN that is related with DNS which doesn't make any sense since it use to work on that same week when I was cleaning house. The error message is URI contains invalid FQDN. DNS failure. Like I said very weird I had it to work that same week and all of a sudden I get this message telling me that the DNS server is wrong -__-

 

[Travis Harper]

I noticed on one of the screenshots you have sip domain and FQDN the same.
This is incorrect.

In your case, the correct way.
SIP Domain is pfcommunications.com
FQDN is ix.pfcommunications.com

In some cases I have seen, but have never tried myself.
SIP Domaain = The Public IP
FQND = The Public IP

Split DNS is the easy.
On your internal DNS server point ix.pfcommunications.com to the private IP of the IP Office
With your provider, create a DNS entry to point ix.pfcommuncaitons.com to your public IP address.

All that's left are the firewall ports, and correct network topology setting on the IP Office.

***URI contains invalid FQDN***<- your cert is configured incorrectly.

When you generate your cert, you need to enter this.<-double check for typos.. don't copy and paste.
DNSfcommuncations.com,DNS:ix.pfcommuncations.com,IP:the_private_ip,IP:the_pulic_IP,URI:sip:ix.pfcommunications.com,URI:sip:the_public_IP,URI:sip:the_private_IP

Regenerate and apply.
Download the root DER encoded ( the top buttons )
Download the Identity PEM. ( the bottom button )
Install on device.

When you view your cert, scroll down it should contain all the values specified.

 

[dsm600rr]

Travis Harper:

The reason the SIP Domain and FQDN is: ix.pfcommunications.com is that points to our public IP. pfcommunications.com points to some public IP address that we do not own. I would assume its whoever hosts our website.

Should I update that anyway?

On our internal DNS Server, I believe I have it set up correctly. On a local PC, If I go to nslookup ix.pfcommunications.com it points to my PBX Internal IP Address

See Photos:

DNSfcommunications.com,DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:173.XXX.XXX.XXX,URI:sip:192.168.1.251

Where do these two get installed? Windows Certificate Store?

Which is the Identity PEM?

ACSS

 

[Sparrow4]

@dsm600rr, Travis Harper is right... I'm up and running.

 

[Travis Harper]

@Sparrow4
Glad you got it sorted.
Sorry for the late reply.

 

[dsm600rr]

I have updated my: SIP Domain Name to: pfcommunications.com

Which is the Identity PEM? Please see my questions above. Would love to get this working after months of testing

ACSS

 

[dsm600rr]

ACSS

 

[Sparrow4]

@dsm600rr... you are at the steps to install the certs on a Windows machine? Let me know so I can send you screenshots. Also I used to install 2 certs but now I only install one.