Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MBG Design question

Status
Not open for further replies.
KurpeusLondon

KurpeusLondon

Technical User
Apr 14, 2010
119
GB
Hi guys,


If I have three site and each site has its own ICP + MBG, can I connect remote sites together using MBGs? (Answer is most certainly yes but what the best way !)

So let's says I've three sites that I want to interconnect but without using SIP trunks / IP trunks. The reason behind this is I want to keep the security as tight as possible and preferably using encrypted comms between sites.

The problem I've about IP trunks and SIP trunks alone is that while the signalling is restricted between gateway, the voice channel is established between ip phones and this does not fit well in my security model.

So What I've in mind is if I use MGB between sites (1 per remote site) traffic (signalling + voice) are enforced between these three.

Now what I don't know is should I treat the three site independently (therefore each site sees the two others as simple SIP peer proxies)

or


should I create a cluster with the 3 MBGs and each site use a SIP trunk to it local MBG (So I have a meshed network and comms are encrypted)

Does this work ?


Thanks,



 
Sort by date Sort by votes
Totally confused by what you are trying to do. I thought by default voice is encrypted on the 3300 therefore it would be encrypted over IP trunksn i.e when streaming between IP phones.

Not sure how using an MBG and SIP givens you anymore encryption or protection if you think straight SIP or IP trunks are not secure?

When you speak of clustering I assume you speak of clustering the MBG's because the ICP's won't be clustered without IP trunks.

I'd tell you a UDP joke but I'm afraid you won't get it. TCP jokes are the best because you always get them.
 
Upvote 0 Downvote
Why don't you use a firewalls to establish VPNs between sites, this will give you a level of security. Then IP Trunking will encrypt voice which will add more security.

I have seen financial institutions doing it this way and facing no security issues...

 
Upvote 0 Downvote
I think i get what you are saying If you any type of IP trunks the you have to open firewall ports to the whole VOIP subnet rather than say VOIP subnet to MBG then MBG to Public.

However, are you using public or private network between sites? MBG can proxy SIP but I don't think it does IP trunks? If over internet then all PBX's would need a public IP address and therefore this comes with its own security issue.

Dan's VPN is the route forward I would suggest if this is to go over the pubic network.
 
Upvote 0 Downvote
Hi guys,

Thanks for your answers I'll try to clarify a bit

As bobcheese understood, when using SIP or Minet, the call signalling is done between VoIP gateways. Then endpoints communicate directly (Open a UDP stream to remote IP phone). This is what I would rather avoid.

What I like with MBG is that it is seen as a true proxy therefore all connections from your internal network are made to the proxy and the proxy only (both call control and voice signalling.)

For the same reason VPNs isn't good (or I should say isn't the best). Yes it gives me the encryption of communications but I still need to allow a subnet to talk to the remote subnet)

When I mentioned cluster I was referring to a cluster of MBGs (I need to have the ICPs in different domains). If you think about it: you have two ICPs located at different sites and that do not share any information. Each site also has a MBG so that each ICP is linked to one member of the MBG clusters. As far as each ICP is concerned, it's simply connected to a SIP proxy. So if I can defined on the MGB cluster what numbers belong to each ICPs, then I've achieved encrypted comms between the two sites (as all comms in a MBG cluster are encrypted) and all communications are restricted between the two MBGs public IPs. But as I have a very limited knowledge of MBG I don't know if I can do that.

Of course the second option is to not create a cluster of MBG, leaving each site with a standalone MBG and linking the two MBG using SIP trunking. Doing so I'll have restricted traffic to Internet between the two MBGs but as they use SIP, then the comms are not encrypted (not that this is the strongest requirement)


About the comment that Minet is already encrypted, I'm not too sure about that. Yes Minet is a Mitel proprietary protocol but it's only use for the call control. The call control travel through the IP trunk but like SIP, the endpoints open direct RTP stream to each others and that stream is not encrypted (you can play it with wireshark) (neither it goes through the IP trunk)

And I'm not sure that I have been more clear :D

Cheers,
 
Upvote 0 Downvote
Hi kerpeus

First thing to clarify is that any voice signalling and rtp from Monet phones is encrytped 128 bit aes. You should check in the system options form on the 3300 and you will find an option called voice encrytption. Make sure it is turned on.

sip is different, in that it does not use srtp ( secure rtp) . So do ending on what type of call you are capturing will spend on weather you an replay it or not.

Secondly I think there maybe a way to do what you ask with ip translations on the mbg. Will have a look in the docs and come back to you.

But as a rule of thumb normally you wouldn'T use an mug to network. You could just use the mug as the anchor point swell. Boot all phones through it just like an src, then all voice would be anchored to them rather than peer to peer
 
Upvote 0 Downvote
Thanks for the clarification Mitelmatt,

I guess I should give the whole picture.

One client is transferring their first line support to us. Since they generate a large number of calls, in order to keep cost down , is that instead of using the PSTN network to route calls downs to us, I could be using existing private trunks or SSL/VPN solution trough Internet. (the nature of the "external" connectivity is irrelevant)

I don't have all the details right now but What I thought was to install two ICPs (clustered) on their side with two MGBs (also clustered) for full resilience. Each ICP interfaces with their existing telecom system using two private T1/E1 interfaces.

From there I've got two options, either I simply creates SIP trunk back to my infrastructure (using also MBGs on my side) or, if it works, I cluster their MBGs to mine and the overall Mitel solution is seen as an extension of my Mitel infrastructure.

I know it sounds a bit messy but if you draw a picture it isn't that much :D


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kokolino23
  • Locked
  • Question
Virgin Media SIP trunks through MBG
Replies
2
Views
284
kokolino23
kokolino23
fishhead64
  • Locked
  • Question
MIR/Powerplay - Station MBG Setting/Archiving calls
Replies
0
Views
329
fishhead64
fishhead64
kokolino23
  • Locked
  • Question
Virgin Media SIP trunks through MBG
Replies
13
Views
1K
kokolino23
kokolino23
bojo3871
  • Locked
  • Question
MBG not reflecting correct Teleworker License in use
Replies
0
Views
361
bojo3871
bojo3871
danramirez
  • Locked
  • Question
MiVB SMBC Controller with Embedded MBG Blade
Replies
5
Views
845
Billz66
Billz66

Part and Inventory Search

Sponsor

Back
Top