Avaya sbce portwell where do i need FQDN's? 2

[rgunther]

Hello - we are setting up our first avaya SBCE (portwell) for J179 phone/ SIP remote workers. The SBCE will be used solely for these J179 SIP phones/extensions. Currently, we have 7 Avaya IPO's on our local LAN all connected using the LAN ports with 192.168.x.x addresses. We are using some J179 phones / SIP extensions currently on our local LAN, but these are registering the the IP500 using the LAN IP address of the IP500. My question is when I configure the avaya SBCE do i need to configure a FQDN for the Avaya IP500 and/or also for the SBCE that resolves to the Public IP of the SBCE?

Secondly, the SBCE admiration manual says the 3 IP's (Internal for communicating with IP500's; External; and MGMT) all should be on different subnets. With our Local LAN, and Avaya IP offices all being on the same local lan (192.168.x.x) - our Internal IP for communicating with the IP500s would be on the same subnet as the MGMT M1 port / both using 192.168.x.x addresses. Is this going to be an issue?

Thanks for the input.​

 

[kyle555]

The 3 networks thing isn't a big deal. I set them up in my lab with all interfaces on the same subnet to test things.

Presuming you were using 7 standalone IPOs, here's what I might do:

Get it working for the first IPO.

Then have 7 FQDNs - ipo001.yourcompany.com, ipo002.yourcompany.com, etc.

On the internet, they'd all point to a single IP on the SBC. On the internal LAN they'd point to each IPO.
You'd get a public certificate for that outside interface with 7 subject alternative names - one for each IPO

I'd use TLS port 5061 for IPO101, 5062 for IPO102, etc

Maybe have 7 IPs on the A1 interface just to know which IP coming in represents users from which site - but that's not necessary - it could all work fine with 1 IP

I'd make the IPO FQDN and SIP FQDN ipo101.yourcompany.com for the 1st IPO and so on and so forth. Remember the IPO needs to be able to resolve its FQDN via DNS to serve files it requested at

http://ipo101.com/46xxsettings.txt.

I'd also use different ports on each for serving up settings files - 411,412,413, etc

I'd have a cert on the A1 signaling interface that all the IPOs trust. I'm not much of an IPO guy, but if you have 7 standalones, I think you might be able to generate a certificate for the SBC from each IPO. So, having 7 signaling interfaces, each with a cert from each IPO might be the best way to go.

Once you've got all that done, you can use the config for the domain on Spaces have multiple pointers. So, when someone punches in me@yourcompany.com in the Workplace softphone setup, Spaces will return a drop down with IPO 101, 102, 103, 104, etc.

As far as setting up J179s outside the network, i'd check out using the DES and having a numeric code for each IPO so upon enting that code to the DES the phone would get

http://publicIP:411

or 412/413/414/46xxsettings.txt to get pointed to the right IPO.

But I do IPO once every few years, so I'm not the best guy to answer you, but it should give you a few things to think about.

 

[rgunther]

Kyle - thank you so much for that! That helps tremendously.

I do have a couple questions though if you dont mind -

So i do like the idea of setting up TLS port 5061 for IPO101, 5062 for IP102, etc... But how does the J179 phone know which TLS port to use? If I just point the J179 phone to the external IP of the SBC, how does it know what TLS port to use and/or which IP500 to go to? Would the end user have to manually specify that on the J179 settings?

I guess if we have 1 external IP, how does the SBC know which of the 7 internal IPs to send the request to?


Sounds like we dont necessarily need a FQDN for the external/public IP of the SBC; rather just internal FQDNs to resolve to the 7 IP500s?

With our current J179's internally we have never used an FQDN- we just register them directly using the IP of the IP Office. While we are using Workplace, we do not use Spaces.

 

[kyle555]

If you ever want to do softphones, and you have 7 IPOs behind the SBC, they need FQDNs to properly validate the certificate. It doesn't cost anything to have DNS point 7 FQDNs to the same IP and it doesn't cost anything extra for that 1 cert to have 7 subject alternative names of IPO101... IPO102... etc.

If you have 1 external IP, you can still have 7 signaling interfaces on it. You can have a signaling interface on B1 with port 5061 and another signaling interface on B1:5062

And then in your endpoint flows you can say
"if the received interface is B1:5061, then send out A1:5061 to server IPO101" and
"if the received interface is B1:5062, then send out A1:5062 to server IPO102"

You don't need to pay for or use Spaces to benefit from the autoprovisioning for soft clients. If you go in Spaces for the domain yourcompany.com and add an app called Equinox Cloud Client and add this string in the public JSON field, then when a Workplace starts up for the first time on iOS or Windows or whatever and they use "anybody@yourcompany.com" they'll get this JSON body which will return a 2 item drop down menu - IPO101 and IPO102 and that will direct them to a settings file on their own IPO. If you use HTTPS ports 411 for IPO101, 412 for 102, etc, then you can have a relay service on the SBC for each port to each IPO to get each softphone their configuration.

{"Client_Settings_File_Address":[{"Profile_Name":"IPO101","Client_Settings_File_Url":"[URL unfurl="true"]https://IPO101.yourcompany.com:411/46xxsettings.txt"},[/URL]
{"Profile_Name":"IPO102","Client_Settings_File_Url":"[URL unfurl="true"]https://IPO102.yourcompany.com:412/46xxsettings.txt"}[/URL]]

}

Now for J phones - it's a little more complicated. If you setup SIP FQDN in IPO and you have split DNS setup - to say, inside IPO101.yourcompany.com points to 192.168.42.1 and on the internet it points to a public IP - and if each IPO has an internal/external registration port of 5061 for 101, 5062 for 102, etc,

Then for IPO101 the autogenerated 46xxsettings file will point the phone to SET SIP_CONTROLLER_LIST IPO101.yourcomany.com:5061;transport=tls
And for IPO102 the autogenerated 46xxsettings file will point the phone to SET SIP_CONTROLLER_LIST IPO102.yourcomany.com:5062;transport=tls

That way once you provision the phones internally you can use them externally at someone's house.

If you wanted the J phones to autoprovision, then the DES server works like a URL shortner like bit.ly but with a numeric string pointing to a URL. So you'd get a string for IPO101 so the phone from scratch allows for DES provisioning and you'd enter some numeric string for IPO101 that points to

https://IPO101.yourcompany.com:411/46xxsettings.txt

 

[rgunther]

Once again big thanks Kyle this helps a ton. I do plan on having a split DNS setup all pointing to the same external IP / different internal IP's to the IP500's. We currently do use IX Workplace for our remote softphone workers, but this is thru a vpn; so they will not go thru the SBC. The SBCE will be for J179 phones only. This is a big help and will get me going in the right direction. Thanks again sir!

 

[kyle555]

Well, even if you're VPN for the softphones, the Spaces setup can be used so they only have to enter their email to get autoconfigured and it'll work inside or outside the network.

And if you have some sort of setup like I outlined, you can still rely on the pre-built 46xxsetings of each IPO to properly configure J's and softphones and work within the provisioning framework provided.

Glad to help! Again, I do IPO once every year or two, there are far more knowledgeable people than me around here. I did have to do a setup like you were asking about when COVID broke out, so I kinda had it off the top of my head.

 

[rgunther]

So my vendor is helping set up this SBCE for our 7 site IPO SCN. We have split dns setup in which on the public inet the FQDN's of the 7 sites all resolve to the public IP of the SBCe. On our private LAN, the FQDN's then all resolve the the public IP's of the individual IP500's. I have been told by several that this is completely fine and correct setup / but our vendor is telling me that we do have to have 7 public IP's (one for each IP office). We are stricly going to be using J179 SIP phones via the SBC Only. Do we really have to have 7 separate public IP's, or is the split-dns setup we are using with a single public IP on the sbce ok?

 

[G van Hamburg]

1 public IP should work fine.

Freelance Certified Avaya Aura Engineer