Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya IX Wrkplace presence issue for remote worker via SBCE

Status
Not open for further replies.

UCMen33260

Technical User
Feb 17, 2020
53
FR
Hi team,

I have an issue with presence and contact search for IX Workplace remote user registered on SBCE.
Traces show that tpkt/mtcti get 401:

SNAG-0001_23-03-2020_17.02.54_sygtve.png

SNAG-0000_23-03-2020_17.02.49_kcjydm.png


443 traffic is allowed on my firewall.
And here is my Reverse-Proxy profile used:

SNAG-0002_23-03-2020_17.06.37_zejiu3.png


And my reverse proxy relay service: I authorize only /46xxsettings.txt, /WebrootCA.pem and tpkt/mtcti

SNAG-0003_23-03-2020_17.07.18_yzuu96.png


Any ideas?

Regards
 
What happens if you access it with a web browser and login?

"Trying is the first step to failure..." - Homer
 
Presence worked for 3 seconds and when I disconnect/reconnect, presence don't works
 
18:31:33 6596964mS HTTP: 10.176.0.240(42739)-(411) HTTPSession(Secure) (Total = 2)
18:31:33 6596964mS HTTP: 10.176.0.240(42739)-(411) HTTPSession: Operational
18:31:33 6596964mS HTTP: 10.176.0.240(42739)-(411) HTTPSession: TLSOperational Resumed=true
18:31:33 6596965mS HTTP: Secure Rx Src: 10.176.0.240(42739)-(411)
GET /tpkt/mtcti HTTP/1.0
Accept-Encoding:
Host: ipo.mydomain.com:411
X-Real-IP: x.x.x.x
Upgrade: websocket
Connection: upgrade
User-Agent: Avaya Communicator Android/3.7.4 (FA-RELEASE41-BUILD.2; SM-J415FN)
Cookie:
sec-websocket-key: lUld0d/A5IHixSCcP+IHjg==
sec-websocket-origin: sec-websocket-protocol: mtcti
sec-websocket-version: 13
18:31:33 6596965mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: stCreationCallback(10)
18:31:33 6596965mS HTTP: Public IP=10.176.0.240 Private IP=Not set
18:31:33 6596965mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: Trigger DNS address resolution for FQDN=ipo.mydomain.com
18:31:34 6597893mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: stCreationCallback(10)
18:31:34 6597893mS HTTP: Public IP=10.176.0.240 Private IP=Not set
18:31:34 6597893mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: DNS address resolved for FQDN=ipo.mydomain.com IP=10.176.0.225 dns_retries=0
18:31:34 6597893mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: stCreationCallback URI is authenticated
18:31:34 6597893mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: Authorization Failed: No Authorization Header
18:31:34 6597893mS HTTP: 10.176.0.240(42739)-(411) HTTPSession: SendErrorResponse Code: 401, Entity: NULL
18:31:34 6597893mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: SetState GracefulClose
18:31:34 6597894mS HTTP: Secure Tx Dest: 10.176.0.240(42739)-(411)
HTTP/1.0 401 Unauthorized
Connection: Keep-Alive
Date: Mon, 23 Mar 2020 17:31:35 GMT
Basic realm="WebSocket Group@ipoffice"
Server: IPOffice/
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Content-Length: 0
18:31:34 6597894mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: SetState AllSentAndAcknowledged
18:31:34 6597895mS HTTP: 10.176.0.240(42739)-(411) HTTPSession: ClientDestroyed: failure true
18:31:34 6597895mS HTTP: 10.176.0.240(42739)-(411) HTTPServerSessionIO: SetState Delete
18:31:34 6597895mS HTTP: 10.176.0.240(42739)-(411) ~HTTPSession: Duration: 931ms (Total = 1)
 
I get the same locally, but there's a new request afterwards.

Does it work on the local network without going through the SBC?

"Trying is the first step to failure..." - Homer
 
I had the same issue with an SBC, and had to move 443 from Reverse proxy to Application relay, after this all was good. So I think only 443 is needed for Equinox/IX.

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer
 
Ports 411: Secure client configuration/Web Socket if "use preferred phone ports" is enabled in IP Office system manager. Otherwise 443
Ports 8411: Secure client configuration/Web Socket if "use preferred phone ports" is enabled in IP Office system manager. Otherwise 80

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer
 
Of course on the local network it's working fine !
It's IX Workplace or SBCE 8.0 bug !
 
Pretty sure IX uses 443 regardless of the IP Office preferred ports setting (its why they slipped in the preferred weasel word as some phones and apps ignore the indicated port and still do there own thing). But you are right, use application relays, not reverse poxys (sic).

Stuck in a never ending cycle of file copying.
 
I had issues with reverse proxy. Creating the reverse proxy configuration in R8 generated error messages, that a NGINX confit file cannot be loaded. It’s missing. Probably a rights issue so that the generation of the file not allowed.

Even if reverse proxy would be my preferred option (because it terminates the session and SBC delivers the certificate instead of IPO). But since it didn’t work, I switched over to application relay, applied a valid certificate to IPO and everything worked fine.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN
 
IX workplace uses HTTPS 443 and HTTP 80 to the IP Office system. You need application releays for both.

Stuck in a never ending cycle of file copying.
 
It will not use HTTP to connect to IP Office, I only have TCP/411 forwarded to my system and it works fine from mobile network.

"Trying is the first step to failure..." - Homer
 
Using unsecure ports like 80 is dangerous from Internet !
Equinox worked fine for me with reverse proxy on 443 or 411 (preferred ports).
It's a simple bug like many others on Avaya systems !

 
18:31:34 6597893mS HTTP: Public IP=10.176.0.240 Private IP=Not set
Change your certificate for Public IP Address and Private IP Address. "Public IP=10.176.0.240" this is a private IP Address not Public
 
It says the same on mine, and he's using an SBC so they IPO shouldn't be aware of the external IP.
Also certificates shouldn't have IP addresses, I only have my FQDN in my certificate.

You need to post the whole HTTP log, there much more going on there than the part you posted.
Mine will also fail at first and then send the same again.

As far as I understand presence should be handled by Zang.

"Trying is the first step to failure..." - Homer
 
Presence is on the IPO office, even if you use Zang you are still pointing it to the IPO Office.
This is an identity certficiate which you create for external use with DNS, External and Internal Resolved IP's or have a split DNS setup pointing to an Internal IP/PBX.
Presence is got on port 443 and 411 TCP pointing to the PBX.
@derfloh has the resolution.
 
Presence works for me with my configuration.
The issue is when I make tracesbc on HTTP (active traces), and I connect a Workplace, presence don't work.
So I exit HTTP traces, I disconnect/reconnect the IX Workplace user and the presnece work again !
Strange that the traces block presence flow when it is active...
#Avaya
 
bahmonkey said:
Presence is on the IPO office, even if you use Zang you are still pointing it to the IPO Office.
What are we basing this on?

There is no presence between Zang and non-Zang users and documentation states that presence comes from *.onesna.com.
TCP/411 (or 443) is needed but it's not used for presence.

Same as IM, which is handled in Zang, although it seems like in 11.1 (according to IX 3.8 rel notes) there will be the possibility to use One-X for on-prem messaging.

"Trying is the first step to failure..." - Homer
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top