Mitel OpenScape SBC V11 Unify OpenScape Session Border Controller

Špecifikácie

• Názov produktu: Unify OpenScape Session Border Controller
• Model: OpenScape SBC V11 with Survivable Branch Appliance (SBA)
• Inštalácia Guide Date: July 2024
• Číslo dielu: A31003-S53B0-M100-02-76A9

Návod na použitie produktu

Úvod

• Pred začatím procesu inštalácie znovaview this guide thoroughly to ensure a successful setup of the Unify OpenScape Session Border Controller.

O tejto príručke

• This guide provides detailed instructions on setting up the OpenScape SBC V11 with Survivable Branch Appliance (SBA).

Požiadavky na nastavenie

• Make sure you have the necessary hardware and software requirements as specified in the installation guide before proceeding with the setup.

Configuring SBA on Windows Server

• Follow the steps outlined in the guide to configure the SBA on a Windows Server environment.

Microsoft Configurations

• Refer to the specific Microsoft configurations provided in the guide to ensure compatibility and proper setup.

Installing SBA Binary

• Proceed with the installation of the SBA binary by following the steps below

Rozlíšenie DNS

• Ensure proper DNS resolution is set up to enable seamless communication within the network.

Požiadavky na certifikát

• Review the certificate requirements outlined in the guide before proceeding with the installation.

Follow the steps for certificate installation as described:

1. Krok 1: Obtain the required certificates.
2. Krok 2: Install the certificates following the provided instructions.

História zmien

Vydanie	Dátum	Zhrnutie
1	10/2023	First issue of the guide.
2	07/2024	Rebranded to Mitel layout.

Úvod

• The Survivable Branch Appliance (SBA) is an application developed by Microsoft and integrated with the OpenScape Session Border Controller (OSSBC) to enable and maintain calls between the Microsoft Teams Client and the Public Switched Telephone
• Network (PSTN) in cases of internet outage.
• If a client site uses Direct Routing to connect to the Microsoft Phone System, there may be an internet connection disruption. During these temporary interruptions, the “branch” at the client site loses connection to the Microsoft Cloud via Direct Routing.
• However, the intranet within the site remains fully functional, allowing users to maintain their connectivity with the PSTN.
• The functionality of the Microsoft Teams Client will be limited to the following PSTN call functions.
• Making PSTN calls via local SBA/SBC with media flowing through the SBC.
• Receiving PSTN calls via local SBA/SBC with media flowing through the SBC.
• Hold and Resume of PSTN calls.
• No other Microsoft Teams Client features will be available. For more information on the functionality of the SBA appliance, please refer to the official Microsoft page for SBA for Direct Routing.
• For additional information on Direct Routing, please refer to the official Microsoft pages Plan Direct Routing a Configure Direct Routing.
• Dôležité: This system does not work if the user uses the Teams Client via the web.

O tejto príručke

• This installation guide outlines the SBA, covering the installation on a Windows Server and the essential configurations in Azure Active Directory, in the SBA Application, in the Direct Routing SBA, and the necessary settings in the SBC. For the setup requirements, please refer to 1.2. Set up Requirements.

The following abbreviations are used in this guide:

Skratka	Význam
SBA	Survivable Branch Appliance
SBA Server	Survivable Branch Appliance application on the Windows Server
DR SBA	Direct Routing Survivable Branch Appliance

Určené publikum

• It is intended for users familiar with installing and upgrading a Microsoft Windows Server. This familiarity should include downloading and installing additional packages for this guide.

Požiadavky na nastavenie

• Before installing the SBA, ensure that your system meets the following requirements.
  1. Operačný systém
     • The SBA requires a machine running Windows Server.
     • Supported versions include Windows Server 2022 Standard.
  2. Kompatibilita hardvéru:
     • The SBA can be installed on either physical hardware or a virtual machine (VM).
     • Poznámka: For optimal performance and compatibility, it is highly recommended to use the OpenScape Kontron 550 hardware with Windows Server 2022 Standard.
  3. Supported Microsoft Teams Clients:
     • The SBA is supported only for the following Microsoft Teams clients.
     • Teams Windows desktop
     • Teams MacOS desktop
     • The SBA also has usage restrictions due to its reliance on 24-hour validity authentication tokens. It can support outages for up to 24 hours from the last token renewal.
     • For more information, please refer to the official Microsoft page for SBA for Direct Routing.

Configuring SBA on Windows Server

• Certain configurations are necessary to ensure a successful SBA installation and smooth integration.

Microsoft configurations

• Microsoft requires the following configurations.
• Direct Routing SBC Configuration: Ensure that the DR SBC is set to “Media Bypass”.
  1. Choďte na Centrum spravovania Microsoft Teams → Voice → Direct Routing → SBC Settings.
  2. Edit the SBC to activate “Media bypass” on the Location-based routing and media optimization session.
• TLS 1.2: Enable TLS 1.2 on the server to ensure secure communication on the SBA Server.
• Firewall Port Settings: Allow the following TCP ports in your firewall settings, related to the SBA Server.
• 3443
• 4444
• 8443
• 443
• Also, ensure that UDP port 123 is allowed.
• SBC Port: Allow port 5061 or the port configured on the SBC for SBA communication.
• okrem toho ensure that both the Windows Server and the firewall have been appropriately configured. Refer to Table 1 below for a summarized overview of the necessary firewall configurations.

Typ premávky	Od	Komu	Zdrojový port	Cieľový prístav
Income TCP	MS Teams Clients	DR-SBA	Akékoľvek	3443
Income TCP	MS Teams Clients	DR-SBA	Akékoľvek	4444
Income TCP	MS Teams Clients	DR-SBA	Akékoľvek	8443
Outgoing HTTPS	SBA	Azure Ips	Akékoľvek	443
Outgoing TCP	SBA	SBC	Akékoľvek	5061 (See SBC)

Outgoing HTTPS

SBC

DR-SBA

Akékoľvek

5061

• Tabuľka 1 Firewall configurations

Installing SBA Binary

• The installation of the SBA application is completed by the “run installer” method. After transferring the SBA installer package to the Windows server, proceed by clicking “Next” until the installation procedure is finished.
• If needed, there is an option available to modify the SBA installation directory. For reference, Figure 1 provides a screenshot illustrating one of the steps within this process.
• Poznámka: The SBA application will be provided by Unify.
• After completing the installation, verify if the service is running as shown in Figure 2. If it’s not running, make sure to check if all the necessary components are installed.
• After the binary installation, check the DNS resolution and certificate inclusion configurations. Please refer to chapters 3.1 DNS resolution and 3.2 Certificate Requirements.

Rozlíšenie DNS

• To ensure proper setup and use of the SBA Server, it is necessary to establish a Fully Qualified Domain Name (FQDN). This FQDN can be either public or private.
• Tip: In case of communication loss, the FQDN of the DR SBC will not resolve because there will not be an external DNS server available to the SBA Server.
• To address this issue, you need to edit the Windows Server host file and add the FQDN of the SBC for local resolution.
• The file path is: C:\Windows\System32\drivers\etc

Požiadavky na certifikát

• A certificate is necessary for TLS negotiation between the SBC and the Teams client. To align with Microsoft’s requirements, make sure that the certificate adheres to the following criteria.
  • Assign the Certificate to both SBC and SBA: The certificate should be assigned to the SBC and the SBA.
  • Public or Private: The certificate can be either public or private.
  • Zahrnúť the SBA’s FQDN: The Fully Qualified Domain Name (FQDN) of the SBA must be present in the common name (CN) or Subject Alternative Name (SAN) of the TLS certificate.

Inštalácia certifikátu

• To install the certificate and ensure a successful installation for secure communication between the SBC and the Client Teams, follow the steps below:

Step 1: Import the Certificate

• Import the certificate into the Windows Server Certificate Store:
• Click on the Start button and then select Run.
• Enter certmgr.msc by navigating to Console Root → Certificates (Local Computer) → Personal → Certificates
• Right-click to open the context menu, select All tasks, and then Import.

Step 2: Import the Root CA Certificate

• Import the Root CA Certificate from the Certificate Signaling Authority that signs the certificate. This Root CA Certificate should be in the Trusted Root Certificate Authorities location.

Configuring the Azure Active Directory SBA Application

• To ensure the SBA can access data from Microsoft 365, it must be registered in Azure Active Directory. It’s important to note that only one application registration is needed to cover all SBAs within a tenant.
• To complete this registration and configure the DR SBA, the following information is required.
  1. Application Name: Any name of your choice.
  2. Supported Account Types: Account in this organizational directory only.
  3. Web Redirect URI: https://login.microsoftonline.com/common/oauth2/nativeclient
  4. Implicit Grant Tokens: Access tokens and ID tokens.
  5. API Permissions: Skype and Teams Tenant Admin:
     • Access -> Application Permissions -> application_access_custom_sba_appliance
  6. Client Secret: You can use any description and set an expiration.
• Poznámka: Please make sure to save the Application ID (Client) and Client Secret, as they will be used in the application configuration.
• Follow the steps outlined below to register and configure the SBA using the Azure portal: https://portal.azure.com.

Step 1: Register an application

Step 2: Define Implicit Grant Tokens

Step 3: Define API Permissions

Step 4: Create the Client Secret

• After completing these steps, the overview screen will be as shown in Figure 10:

Configuring Direct Routing SBA

• SBAs and the branch survivability policies need to be created using the PowerShell Teams cmdlet for Teams and subsequently assigned to Teams users.
• This configuration is essential for informing the Teams client about the availability of SBAs at each branch.
• To perform these tasks, you will require several PowerShell libraries, which can be installed using the following commands.
• Install-Module -Name PowerShellGet -Force -AllowClobber
• Install-Module -Name MicrosoftTeams -Force -AllowClobber

The settings must be made according to the following steps:

1. Krok 1: Create the SBAs
   • príkaz: New-CsTeamsSurvivableBranchAppliance
   • Parametre:
   • Fqdn: SBA FQDN
   • Popis: SBA Description
   • Example: New-CsTeamsSurvivableBranchAppliance -Fqdn sba1.ossbc.com.br -Description “SBA 1”
   • identita: sba1.ossbc.com.br
   • Fqdn: sba1.ossbc.com.br
     web:
   • Popis: SBA 1
2. Step 2: Create the Teams Branch Survival Policy
   • príkaz: New-CsTeamsSurvivableBranchAppliancePolicy
   • Parametre:
   • identita: Policy Identity
   • Fqdn: SBA FQDN
   • Example: New-CsTeamsSurvivableBranchAppliancePolicy -Identity CPH -BranchApplianceFqdns “sba1.ossbc.com.br”
   • identita: Tag: CPH
   • BranchApplianceFqdns: {sba1.ossbc.com.br}
3. Step 3: Assign a Policy to a User
   • príkaz: Grant-CsTeamsSurvivableBranchAppliancePolicy
   • Parametre:
   • PolicyName: Policy Identity
   • identita: Teams user
   • Example: Grant-CsTeamsSurvivableBranchAppliancePolicy -PolicyName CPH -Identity sbc01@8lrpr0.onmicrosoft.com
   • For more detailed commands and information, please refer to the official Microsoft page SBA for Direct Routing.

Configuring the SBA Application

• After completing the preceding steps, the basic SBA configuration will be completed. At this point, please confirm that the SBA Server is up and running.
• The SBA Application configuration is achieved through an API, and a client is required to execute the commands. One example of a REST API client is the Postman program.
• The Postman is available on the page: https://www.postman.com/downloads/
• The commands use the PUT or GET to send or receive the configuration parameters to/from the SBA Application. The 200 OK and 202 OK Accepted are the successful response messages.
• The SBA Application uses port 8443 for HTTPS communication. When using POSTMAN, ensure that your client certificate is included in the application’s settings.
• When querying the HTTPS API, use the FQDN: PORT or IP: PORT combination in the URI address.

The API command list is as follows:

• GET https://localhost8081/api/v1/diagnostics/state
  • metóda: GET
• Provides the SBA state. The initial state is “waiting for initial parameters,” and after the configuration, the state is “ready.”
• PUT https://local.host:8081/api/v1/diagnostics/configurations/basic
  • metóda: PUT and GET
  • Parametre:
    • serverCertificateCommonName: SBA Certificate common name.
    • clientCertificateThumbprints: SBC Certificate Thumbprint
    • localSipIPAdress: SBA IP address
• Provides the basic configuration to SBA.
• PUT https://192.168.158.230:8443/api/v1/configurations/general
  • metóda: PUT and GET
  • Parametre:
  • identity: SBA FQDN configured on DR SBA
  • tenant: Identity of your Tenant
  • logger:
    • adresár: SBA Log directory
    • úroveň: SBA log level:
    • Critical, Error, Warning, Information, Debug, Trace, None.
    • maxArchiveFiles: Log file rozsah: 24-10000
• Provides the configuration to SBA.
• PUT https://sba1.ossbc.com.br/api/v1/configurations/secure
  • metóda: PUT
• Parametre:
  • applicationId: The application ID (client)
  • appSecret: The Client Secret from DR SBA
• Provides security information to the SBA and is necessary for the tenant information synchronization.
• After the SBA configuration, the MS Teams service should be restarted.

Configuring the OpenScape SBC

• The SBA configuration on the SBC must be done by enabling SBA in the SIP Service Provider Profile GUI.
• OSSBC V11, SBC MS Direct Routing, and MS SBA licenses are required to enable the SBA Feature.

The following parameters must be provided:

• Certificate profile: the certificate must be the same as the one added on the SBA Server. It is recommended to use a specific certificate for the SBA.
• IP adresa: the IP or FQDN of the SBA Server. It is highly recommended to use the FQDN
• Port: by default, SBA uses port 5061

Ďalšie informácie:

• The SBC uses the fork mechanism to send SIP messages to the SBA. Therefore, for the correct feature function, the MS Teams endpoints must be configured as follows:
  1. The endpoint audit must be disabled when using SBA.
  2. In BYOT, the endpoint connection check must be disabled.

Oznámenia

Informácie uvedené v tomto dokumente sa považujú za presné vo všetkých ohľadoch, ale spoločnosť Mitel Europe Limited ich nezaručuje. Informácie sa môžu zmeniť bez predchádzajúceho upozornenia a nemali by sa žiadnym spôsobom vykladať ako záväzok spoločnosti Mitel alebo ktorejkoľvek z jej pridružených spoločností alebo dcérskych spoločností. Spoločnosť Mitel a jej pridružené spoločnosti a dcérske spoločnosti nepreberajú žiadnu zodpovednosť za žiadne chyby alebo opomenutia v tomto dokumente. Môžu byť vydané revízie tohto dokumentu alebo jeho nové vydania, ktoré zahŕňajú takéto zmeny. Žiadna časť tohto dokumentu sa nesmie reprodukovať ani prenášať v akejkoľvek forme alebo akýmkoľvek spôsobom – elektronickým alebo mechanickým – na akýkoľvek účel bez písomného súhlasu spoločnosti Mitel Networks Corporation.

Ochranné známky

• The trademarks, service marks, logos, and graphics (collectively “Trademarks”) appearing on Mitel’s Internet sites or in its publications are registered and unregistered trademarks of Mitel Networks Corporation (MNC) or its subsidiaries (collectively “Mitel),
• Unify Software and Solutions GmbH & Co. KG or its affiliates (collectively “Unify”) or others. Use of the Trademarks is prohibited without the express consent of Mitel and/or Unify.
• Please contact our legal department at iplegal@mitel.com Ďalšie informácie nájdete v zozname registrovaných ochranných známok Mitel a Unify na celom svete. webmiesto: http://www.mitel.com/trademarks.
• © Copyright 2024, Mitel Networks Corporation
• Všetky práva vyhradené

Zákaznícky servis

• mitel.com
• © 2024 Mitel Networks Corporation. Všetky práva vyhradené. Mitel a logo Mitel sú ochranné známky spoločnosti Mitel Networks Corporation.
• Unify a súvisiace ochranné známky sú ochrannými známkami spoločnosti Unify Software and Solutions GmbH & Co. KG. Všetky ostatné tu uvedené ochranné známky sú majetkom ich príslušných vlastníkov.
• A31003-S53B0-M100-02-76A9, 07/2024
• OpenScape SBC V11 with Survivable Branch Appliance (SBA), Installation Guide

FAQ

What should I do if I encounter errors during the installation process?

If you encounter any errors or issues during the installation, refer to the troubleshooting section in the guide or contact our customer support for assistance.

Dokumenty / zdroje

Mitel OpenScape SBC V11 Unify OpenScape Session Border Controller [pdf] Inštalačná príručka A31003-S53B0-M100-02-76A9, OpenScape SBC V11 Unify OpenScape Session Border Controller, OpenScape SBC V11, Unify OpenScape Session Border Controller, OpenScape Session Border Controller, Session Border Controller, Border Controller

Referencie

• Používateľská príručka