Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Hosted Avaya via TelAgility 1
- Thread starter qtelcom
- Start date
TouchToneTommy
Vendor
It works well, and the folks at TelAgility are very responsive and willing to work with you. You need to be careful for your customer site as to how their Internet service is delivered and what ISP modems and routers are being used. Often it is necessary to work with TelAgility to create a VPN tunnel for the phones.
- Thread starter
- #4
Thanks TTT, the trickiest part I see is what you just mentioned in regards to how the ISP is delivering the internet/routers/& and QoS on the CPE end, and then having a plan for the customer if their internet ISP is down. If you don't mind, I'd like to pick your (or anyone's) brain on a few thoughts and curiosities.
For an average office of around 20 phones, and VPN'd to TeleAgility, how are you handling QoS on that router? (like what specific QoS implementation, just plain ole bandwidth reservation? or something more fancy?
How many customers have you done with TelAgility? As a programmer/tech install/support do you personally like the solution vs on-premise in terms of managing your customer (with future changes, moves, adds, upgrades)?
Do you have a favorite router/VPN/QoS device you recommend? We use sonicwallsand some Ubiquity edge routers.
How do you handle ISP internet outages with this solution? (with no fallback IP500v2 onsite) I know TelAgility mentioned twinning to another # seems to be any easy fix if the customer internet is down. Is this something you proactively program, or program it on the fly if it happens.
Without a VPN, for a small location (less than 5 phones), do the phones behave themselves assuming the ISP is good? Do you use SRTP and media security without a VPN for these types of situations?
Any fun gotcha's you've run into with this solution?
Thanks to anyone sharing their feedback!
For an average office of around 20 phones, and VPN'd to TeleAgility, how are you handling QoS on that router? (like what specific QoS implementation, just plain ole bandwidth reservation? or something more fancy?
How many customers have you done with TelAgility? As a programmer/tech install/support do you personally like the solution vs on-premise in terms of managing your customer (with future changes, moves, adds, upgrades)?
Do you have a favorite router/VPN/QoS device you recommend? We use sonicwallsand some Ubiquity edge routers.
How do you handle ISP internet outages with this solution? (with no fallback IP500v2 onsite) I know TelAgility mentioned twinning to another # seems to be any easy fix if the customer internet is down. Is this something you proactively program, or program it on the fly if it happens.
Without a VPN, for a small location (less than 5 phones), do the phones behave themselves assuming the ISP is good? Do you use SRTP and media security without a VPN for these types of situations?
Any fun gotcha's you've run into with this solution?
Thanks to anyone sharing their feedback!
-
1
- #5
We started selling TelAgility in the last six months. The main issue we have had is VOIP Security. We have run into several instances where SRTP (VOIP Security) for the 9608G phones will not work if enabled on the VOIP tab under extension. Of course if you call the internet provider they say they are not blocking anything. Than you are forced to go with a point to VPN with TelAgility.
If you go with a point to point make sure you request it from TelAgility before programming or planning any network layout. Every VPN we have requested we have had to change our LAN IP scheme for the phones as there was a conflict with another customer already on the hosted solution.
Currently, J129 phones on release 10 DO NOT support SRTP. You must have a point to point. Also, the customers public IP address must be "White Listed" by TelAgility for SIP phones to connect. Spent 2 days troubleshooting this one.
As stated above make sure the customer has good internet speed, commercial firewall/router, and QOS. Make sure you are secure, secure, secure with passwords and logins or you will be HACKED.
If your not going to it right don't bother doing it at all!
If you go with a point to point make sure you request it from TelAgility before programming or planning any network layout. Every VPN we have requested we have had to change our LAN IP scheme for the phones as there was a conflict with another customer already on the hosted solution.
Currently, J129 phones on release 10 DO NOT support SRTP. You must have a point to point. Also, the customers public IP address must be "White Listed" by TelAgility for SIP phones to connect. Spent 2 days troubleshooting this one.
As stated above make sure the customer has good internet speed, commercial firewall/router, and QOS. Make sure you are secure, secure, secure with passwords and logins or you will be HACKED.
If your not going to it right don't bother doing it at all!
I am in the middle of our first Telagility setup. I just deployed phones today over three different sites. They are still sitting on one test number. The cutover isn't until next week.
After a ton of hurdles (some self-inflicted) I have actually come to like it. I'm a VM pro newbie as well and even that went well. I hope the security thing doesn't come into play for us. I just have option 242 at all three sites pointing to the cloud IPO.
After a ton of hurdles (some self-inflicted) I have actually come to like it. I'm a VM pro newbie as well and even that went well. I hope the security thing doesn't come into play for us. I just have option 242 at all three sites pointing to the cloud IPO.
As far as I know the only way to have security between a 9608G phone & the hosted IPO at TelAgility is to either have a point to point VPN or use SRTP (VOIP Security) on the extension tab or on the system security tab. If there is another way I would like to know.
If your not going to it right don't bother doing it at all!
If your not going to it right don't bother doing it at all!
I have just been enabling SRTP (VOIP Security) on the Extension-VOIP Tab for each extension. Set Media Security to "Enforced"
If you want to enable it for all connections- phones, SCN lines. Go to the System-VOIP Security Tab. Set to "Enforced". Note: That when you enable VOIP security on the system tab it will affect ALL IP Phones (96xx, J129, etc) as well as SCN trunks. If you have systems networked together you will need VOIP Security enabled on all systems or at least SCN lines. A non-encrypted SCN line will not connect to an encrypted SCN line. Since this is hosted that will most likely not be an issue.
If your not going to it right don't bother doing it at all!
If you want to enable it for all connections- phones, SCN lines. Go to the System-VOIP Security Tab. Set to "Enforced". Note: That when you enable VOIP security on the system tab it will affect ALL IP Phones (96xx, J129, etc) as well as SCN trunks. If you have systems networked together you will need VOIP Security enabled on all systems or at least SCN lines. A non-encrypted SCN line will not connect to an encrypted SCN line. Since this is hosted that will most likely not be an issue.
If your not going to it right don't bother doing it at all!
We decided to just create hosted systems ourselves. We use Virtual1 to provide the data centre and then where possible get the customer to have a virtual1 leased line with direct IP connectivity to the DC as well as normal internet breakout so no need to worry about QoS.
| ACSS SME |
| ACSS SME |
I may be resurrecting the dead here for this old(ish) thread, but this is the best thing I can find online for the senario I'm looking into.
Depending on what answers I can get, may make more questions ;-)
[ol 1]
[li]From what I've read above, it sounds like for mid sized offices, i.e. 20+ (I'm 50+), that you setup a IPSec tunnel to Telagility. Is this considered their standard practice? I've had just straight H.323 over TLS/SRTP suggested to me.[/li]
[li]I'd like to have the phones capable of working securely within our site and outside of the office i.e. able to take them home with no config change required. I was thinking an internal VPN configured in the phone would be the best option as that's what I have working for one of my offices to their on prem IPO 500V2 running 8.044, with a Sonicwall acting as the VPN gateway. Works great, but a PITA to get working initially. Is the above (#1) "good enough" for security.[/li]
[li]How do you securely maintain this environment? Is your account open to the internet and just secured by user/password?[/li]
[/ol]
Depending on what answers I can get, may make more questions ;-)
[ol 1]
[li]From what I've read above, it sounds like for mid sized offices, i.e. 20+ (I'm 50+), that you setup a IPSec tunnel to Telagility. Is this considered their standard practice? I've had just straight H.323 over TLS/SRTP suggested to me.[/li]
[li]I'd like to have the phones capable of working securely within our site and outside of the office i.e. able to take them home with no config change required. I was thinking an internal VPN configured in the phone would be the best option as that's what I have working for one of my offices to their on prem IPO 500V2 running 8.044, with a Sonicwall acting as the VPN gateway. Works great, but a PITA to get working initially. Is the above (#1) "good enough" for security.[/li]
[li]How do you securely maintain this environment? Is your account open to the internet and just secured by user/password?[/li]
[/ol]
TelAgility wants you to have a point to point for anything over 2 phones. Now I have been also told anything over 6 phones. On every point to point we have requested there was a conflict with the IP range for local LAN so we had to change it each time.
No mattter if you have a point to point or you enable "media security" SRTP all phones point to a public static IP address.
We have had an issue with multiple home routers when trying to use SRTP enabled phones remotely. Most home routers will not let the phones register. I have even tried disabling SIP ALG in the router firewalls. Most of the time I can get the phone to work if I connect directly to the cable modem but not after the router. If SRTP is disabled the phone works fine.
Security is maintained by point to point or "media security" SRTP. Secure passwords for extensions and ONE-X. No using extension numbers anymore.
Again, all phones point to a public static IP address. This IP address receives 1000's of ping requests each day of people trying to hack into the system.
One thing TelAgility has done a great job on is securing remote access to programming, system status and monitor. Also, if you are running SIP phones. I will not go into details as hackers read this site as well.
If your not going to it right don't bother doing it at all!
No mattter if you have a point to point or you enable "media security" SRTP all phones point to a public static IP address.
We have had an issue with multiple home routers when trying to use SRTP enabled phones remotely. Most home routers will not let the phones register. I have even tried disabling SIP ALG in the router firewalls. Most of the time I can get the phone to work if I connect directly to the cable modem but not after the router. If SRTP is disabled the phone works fine.
Security is maintained by point to point or "media security" SRTP. Secure passwords for extensions and ONE-X. No using extension numbers anymore.
Again, all phones point to a public static IP address. This IP address receives 1000's of ping requests each day of people trying to hack into the system.
One thing TelAgility has done a great job on is securing remote access to programming, system status and monitor. Also, if you are running SIP phones. I will not go into details as hackers read this site as well.
If your not going to it right don't bother doing it at all!
Funny, I just set up a client with 3 sites. Only one site had more than 3 phones but Telagility didn't push at all for a site to site. Perhaps because my company isn't managing the IT side of things (yet), so it would have been difficult to revamp the local subnet scheme.
Only time I had issues with registration was when I needed a 7071 reset. All phones are pointing to the public IP via DHCP option 242 and are behind watchguard (soon to be fortigate) firewalls.
Only time I had issues with registration was when I needed a 7071 reset. All phones are pointing to the public IP via DHCP option 242 and are behind watchguard (soon to be fortigate) firewalls.
Hi Mikel82, jayjr1105,
First off Merry Christmas / Happy Holidays to both of you!
Thanks for the input, its very valuable in my decision making. I will be needing these phones to work from home networks, so the SRTP item may save me some troubleshooting. If I recall, you can turn this on as a global setting in the, or on each set (in the IPO, not from the set). If so, I can have it on by default, but disable for "home" phones if they don't register right away.
I'm a bit confused on on TA setting up a Point to Point, but using a Public IP. Is the P2P, just for the config, or does it use the public IP to negotiate then link SRTP through the P2P?. Sounds like a weird setup.
Not too worried about he IP Range as this will be our jump into IP Phones, so it will all be setup on a new subnet with Vlan's, so we'll let TA tell us what subnet to use.
Glad to hear TA is good at the programing security portion. We've had a previous IPO hacked and it wasn't fun dealing with it.
Anyone know if these setups have issues connecting via h.323 links to other physical IPO version 8.+ systems. We have 3 systems globally all linked. We're only upgrading one for now. Will I lose any features? I don't use much, key items are ext to ext dial and being able to login an ext originally from office A, when visiting office B. On one side I'm told we won't lose anything and another side is telling me, only if I upgrade my other systems to 10.X.
Main reason I'm going hosted is the PITA it is to upgrade to 10.x as we have advanced edition and much of the CCR has changed and requires it to be rebuild. If I need to do that, I'd rather do it once...or, would it make sense to upgrade it locally then the migration to hosted will be so much easier.
Thanks!
First off Merry Christmas / Happy Holidays to both of you!
Thanks for the input, its very valuable in my decision making. I will be needing these phones to work from home networks, so the SRTP item may save me some troubleshooting. If I recall, you can turn this on as a global setting in the, or on each set (in the IPO, not from the set). If so, I can have it on by default, but disable for "home" phones if they don't register right away.
I'm a bit confused on on TA setting up a Point to Point, but using a Public IP. Is the P2P, just for the config, or does it use the public IP to negotiate then link SRTP through the P2P?. Sounds like a weird setup.
Not too worried about he IP Range as this will be our jump into IP Phones, so it will all be setup on a new subnet with Vlan's, so we'll let TA tell us what subnet to use.
Glad to hear TA is good at the programing security portion. We've had a previous IPO hacked and it wasn't fun dealing with it.
Anyone know if these setups have issues connecting via h.323 links to other physical IPO version 8.+ systems. We have 3 systems globally all linked. We're only upgrading one for now. Will I lose any features? I don't use much, key items are ext to ext dial and being able to login an ext originally from office A, when visiting office B. On one side I'm told we won't lose anything and another side is telling me, only if I upgrade my other systems to 10.X.
Main reason I'm going hosted is the PITA it is to upgrade to 10.x as we have advanced edition and much of the CCR has changed and requires it to be rebuild. If I need to do that, I'd rather do it once...or, would it make sense to upgrade it locally then the migration to hosted will be so much easier.
Thanks!
Hi Adam,
Thanks for the info. We do have a 500v2 (actually 3) going to be setup in a Hybrid environment.
1) Existing system to allow smooth migration for each user. i.e. Connect new IP phone and login to new system.
2) 2 other offices to maintain 4 digit dialing.
Question - I'm told we can't use small community networking in this setup, so we can get H.323 4 digit dials to work, but not features like shared hunt groups across the hosted and 500v2 systems. Is this correct?
Thanks!
Thanks for the info. We do have a 500v2 (actually 3) going to be setup in a Hybrid environment.
1) Existing system to allow smooth migration for each user. i.e. Connect new IP phone and login to new system.
2) 2 other offices to maintain 4 digit dialing.
Question - I'm told we can't use small community networking in this setup, so we can get H.323 4 digit dials to work, but not features like shared hunt groups across the hosted and 500v2 systems. Is this correct?
Thanks!
telecomtekperson
Vendor
Is the VPN still necessary in regards to an IP500, as IPO is now capable of using WebSocket, which can traverse NAT. So no VPN should be needed.
I'm not that familiar with WebSocket outside of general definitions. I've never actually used it. Based on my understanding, this may allow the systems to talk and share info between them, but doesn't really add any security. I guess you could do this and then add firewall rules to lock down access between the 2 Avaya servers.
All of this is also only for the access between Avaya servers (whatever release). If you use any other items like TAPI,or SMDR from other systems/servers to an Avaya, I don't think Websocket can work for these, so you'd still need the VPN to the LAN in question (or further NAT and Firewall rules).
**Disclaimer** as mentioned, I'm not that familiar with WebSocket, so the above is only what I think would be the case. If I'm wrong, please school me on the ways of using Websocket with the Avaya.
Cheers!
All of this is also only for the access between Avaya servers (whatever release). If you use any other items like TAPI,or SMDR from other systems/servers to an Avaya, I don't think Websocket can work for these, so you'd still need the VPN to the LAN in question (or further NAT and Firewall rules).
**Disclaimer** as mentioned, I'm not that familiar with WebSocket, so the above is only what I think would be the case. If I'm wrong, please school me on the ways of using Websocket with the Avaya.
Cheers!
- Status
