If you have deployed Skype for Business and now your company wants to introduce enterprise voice functionality for users, you may well find yourself looking for supported telephony equipment. There are a number of vendors out there that provide SIP connectivity hardware for Skype for Business. However, here in the UK, it seems that Sonus Session Border Controllers (SBCs) are the number one, preferred choice over the other competitors.
This article does not go into detail over which device is best for you, that is down to your own informed choice. However, if you have landed on this post then there is a good chance that you have already decided to use Sonus SBCs and got your hands on either the 1000, or 2000 SBC model.
This article is the first in a series, that provides step by step guides on configuring the Sonus SBC with Skype for Business in order to provide PSTN connectivity for your SfB users. Before we start jumping in and configuring the SBC, we must first understand how the functions on the SBC work.
Throughout this series I will be making a set of assumptions based on an ideal topology in a greenfield deployment. Otherwise, introducing complex real world examples will make the text hard for beginners to pick up and understand. I will try to be as simple as possible in my descriptions and methodologies wherever possible.
Before we begin and take a look at the Sonus SBC, I am assuming the following infrastructure is in place:
- SIP trunk purchased with your Service Provider and you have your connection information and test plan
- Skype for Business has been deployed
- Enterprise Voice has been enabled for users and individual DDIs have been assigned
- The Sonus SBC you are using is either a SBC1000, or SBC2000 unit – this series references SBC1000, but the 2000 is almost identical.
- You have the correct licencing in place for both Skype for Business and Sonus
- SIP connectivity only, no FXO, FXS, ISDN connectivity
It is also worth to note that Sonus themselves, have a well populated knowledge base: https://support.sonus.net/display/UXDOC50/Sonus+SBC+1000-2000+Documentation that will help you along the way. The problem I found when learning how to use a device was that the documentation provided by Sonus assumed that you had a level of competency with their products already. If you are like me, and cut your teeth with new systems in the field of battle rather than having the opportunity to properly study / train then this can be a frustration at times. Therefore, I hope that these guides will help you fill in the voids.
Where to install the SBC
The first decision required is how you are going to connect your SBC to your Service Provider. SIP trunks are cheap and efficient and should be the only connectivity type considered if you are deploying a green field solution. SIP trunks are point-to-point connections between two peers over a TCP or UDP carrier protocol. Without TCP or UDP, SIP is cannot be transported, so this means an underlying connection must be available between peers in order for SIP to exist. This connectivity comes in two main methods. The Internet, and a dedicated circuit between peers e.g. IPDC.
The advantage of the internet, means that SIP connectivity is instantly available, the downsides are that you are consuming shared bandwidth, transmitting your audio streams over unmonitored networks, across multiple routers, switches and servers that you do not have any control over. More importantly, many Service Providers do not support encryption between their endpoints and your SBC. Therefore, signalling and media communications can be easily listened into and intercepted by man in the middle attacks.
By investing in a dedicated circuit allows you and your Service Provider to control access and provide a quality service with guaranteed bandwidth. Having a dedicated circuit also introduces additional benefit such as fraud protection and additional security due to network lock down that allows only direct communication between the service provider endpoints and your own SBC.
So we should now be in agreement that dedicated circuits are the way (only way) forward? Right? Good.
The second decision is where does this SBC need to be installed? Does it go in the production network? Does it go in the perimeter network? Or does it sit in a network that is dedicated to the Sonus SBC? I have seen many deployments whereby the SBC is placed in all three network scenarios; some are more frowned upon than others. For instance, you should not deploy the SBC in your production network because in so doing, brings your network edge to within your controlled network space, bypassing any security you have invested in.
The recommended approach to installing an SBC is to provision a physical network interface (usually interface number 2, or 4 if you have an SBC 2000) on your network edge that defines your direct connection to your Service Provider, without a firewall in between. The reasons, the SBC has built-in access control lists that can be configured to restrict connections from unauthorised sources, and when it comes to media establishment, the IP address for this interface will be used as a candidate for media. If the SBC external interface is provisioned with a public IP address, media establishment is relatively simple. However, if the interface is behind a network firewall, and has been configured with an internal IP address, this will cause media establishment to fail. The reason being that a private IP address offered as an endpoint over a third party network that deals in public IPs cannot be understood by the Service Provider endpoints and will fail authorisation.
However, that being said, there is a way in which the SBC can be configured behind a NAT firewall, so in the event of your network security policy enforcing a NAT firewall between the Service Provider and your SBC, this can be overcome during configuration.
When discussing internal connectivity between the SBC and Skype for Business we have a couple of options. Option 1, would be to connect the internal interface (e.g. Interface 1) to a dedicated network above the production networks and configure access between the Skype for Business mediation servers and the SBC only. This is the most secure method, however, eliminates the ability to perform media bypass. Option 2 would be the same, but instead allow controlled access to the SBC on the desired ports from all internal networks.
In order to start provisioning the SBC, you must first provide a base configuration. This is simple IP settings, hostname, admin password settings. However, you may be wondering how do you connect to the SBC in the first place? The SBC1000 comes with two network interfaces labelled 1 and 2. Connecting interface 1 to your network will use your internal DHCP server to obtain an IP address. You can find the IP address in your DHCP management console using the current leases view, look for the MAC address of your SBC in the lease list. Alternatively, you can connect your laptop directly to interface 2 using a standard CAT5e cable. Interface 2 if un-configured will use the DHCP server on the SBC to provision the IP address to your laptop, thus providing the connectivity you need to complete initial configuration. The SBC IP address if connecting via interface 2 will be 192.168.129.2
Administration of the SBC is exclusively performed using a Web Browser. There is no default admin password, you are able to access the SBC initial setup screen without authentication. However, you must at least configure an admin password in order to exit initial setup and be able to apply a configuration to the SBC.
The initial setup procedure is well documented on the Sonus documentation portal, so there is little value in screenshotting the process for the purpose of this blog post. The initial setup can be found here: https://support.sonus.net/display/UXDOC41/Sonus+SBC+1000+-+Initial+Setup
Viewing the User Interface for the first time
When viewing a new UI for the first time it can be quiet daunting. What does what? What if I make a mistake? Where do I start? Are the main three questions I usually task myself with in this situation. Tempting as it may be to just jump in and “give it a go”, this ultimately leads to poorly configured solutions that make it difficult to scale in production scenarios. Take an hour to get comfortable with the layout before jumping in to config mode. After you become familiar, you will be able to configure a Sonus SBC between the PSTN and Skype for Business in less than 30 minutes at the most basic level.
There are five main sections within the UI; Monitor, Tasks, Settings, Diagnostics and System. These are displayed as tabs at the top of the admin web console.
The Monitor tab has a status light displayed. Green means the system is fully operational, amber means that there is something not quite right, but things may be OK, red means bad, and probably something serious has happened. Clicking on the monitor tab will display the alarm status, with conditions affecting the SBC at the current moment. These alarms will stay present until the issue has been resolved, or an administrator has acknowledged them, and removed. The Monitor tab will also show the active status of each configured port on your SIP trunks configured
A useful link “Show Legend” is available at the top left of the monitor screen
When clicking this link, it will show you the meanings for the different types of monitoring events that happen within the real time monitor for quick reference
The tasks tab contains some high level first configuration steps you can undertake. With the exception of performing a factory reset, rebooting the SBC or performing an ASM installation, I do not use this tab for anything else. I recommend that you use the configuration options under the settings tab to perform the configuration you require.
Skipping the Settings tab for a moment and moving on to Diagnostics tab. This is where you come when “stuff goes wrong”
Here you can download the logs from the SBC directly (useful if you have no syslog server), view system statuses such as processor usage, storage space, as well as a couple of basic tools to help prove / disprove connectivity.
The System tab will provide you a graphical overview of the inventory the SBC contains together with its functional status.
Here it is important that you make a note of your Node Serial Number (this can also be found at the rear of the chassis). You will need this serial number to licence your SBC.
The settings tab is where all the magic happens. In this article, we will not be explaining what each configuration item does, that comes later. But for now, as you can see the configuration is displayed in a config tree.
You may be thinking that perhaps the order of which each configuration item is displayed is the order in which you should configure the SBC? This would be a reasonable assumption. However, sadly this is not the case. The order has no bearing on the order of which you configure the SBC. As you go through the settings in later articles, you will quickly realise that there is no uniformity between them.
Now I will leave you to get to know your SBC a little, and will be back in Part 2 to discuss how to configure security, node settings and updates.
Part 2 >> Configuring the Foundations