One-X Comm vs Agent for Desktop Security (SBCE)

[underwoj]

Hi -

I have successfully connected my One-X Communicator to our SBCE by exporting/installing the SMGR CA cert on my laptop and modifying the .xml file ( <EnableHostnameValidation>false</EnableHostnameValidation> )

I downloaded a trail version of Agent for Desktop and attempting to run this through our SBCE as well. In AAFD - I went to Setting -> Security -> Third Party Certificate and configured to 'Use local' and pointed this back to the SMGR CA cert that I exported......but the client will not register. Is there something I am missing to get this client to register vs One-X Comm?

Thanks much!
Robert

 

[kyle555]

I guess start with wireshark and see if you get some FATAL on the the Client Hello/Server Hello/TLS handshake.

 

[underwoj]

Thanks Kyle - it does appear this handshake is good?

 

[kyle555]

maybe add display filter
tcp.port == 5061

But either way, you should see fatal unknown CA or something after Server Hello Done if there was a cert problem. There's too many packets on your screen that aren't port 5061 to see what happened after. But, the bottom-most TLSv1.2 packet I suspect is the happy and ready to go handshake.

So, a traceSBC ought to show you a SIP Register maessage. There are certain security policies you can put in the SBC - like what string of 'user agent' maps to an endpoint policy group. So, if yours isn't wildcard * but instead Avaya * and your client shows up as "VDI Avaya Agent", then you wouldn't match anything at the SBC end. Just a guess.

Otherwise, any chance you can try the client direct on SM?
When you say you got one-x successfully registered - does that include PPM and the keys assigned to the phone?

 

[underwoj]

Oh - you could be onto something with the User Agent Profile...I logged into the SBC and show the below are configured. Are the Regular Expressions for the different types something that Avaya provides or do I just add a name that would come across the registration to SBC. So for Avaya Agent for Desktop - would I just add that name?

 

[kyle555]

it's a layer of security. So, traceSBC and look at your REGISTER and in that message will be a user agent string. Browsers have them too. That's how the website sees User Agent: Safari for iOS and gives you the iPhone version and when it's Windows NT version X IE11 it knows you're on a desktop.

So, your SBC won't pass any register along to SM that doesn't match what you have above so noone can play any funny business.

So, make sure what ever that user agent is that's coming across has the same config as the rest.

 

[underwoj]

Thanks Kyle - I think this is getting closer to working. I am able to connect now from my AAD client to my SBC but missing some features/buttons. Will work on this but appreciate all your help with this! - you're awesome

 

[kyle555]

That's a PPM thing. Got the keys on your one-x comm thru the SBC? There's a spot in SM in 'remote access' and in the SBC in the PPM mapping profile where the public/private/b1/a1/sm IP gets massaged so your phone's HTTPS request for keys and features translates thru nicely.

 

[underwoj]

got access to the traceSBC tool - looks like I'm getting a 403 after the handshake so I am assuming the Cert is not matching up:

 

[underwoj]

ha! - re-added User Agent as Avaya Agent*.* and got connected! hooray!! Now I don't have any audio RTP from ADD passing thru so I am thinking there is something else to configure in the SBC for this new User Agent to pass it.

 

[kyle555]

Yeah, I think the UA string maps to a end point policy group, so you might have more to do than just add the UA string