The following describes the process for configuring and testing the 3G4G fail-over feature on the SBC Edge.
Feature Overview
Many enterprises employ multiple branch sites connected to the headquarters (HQ) facility through a WAN link provided by a telecom vendor. Microsoft Lync® clients at the branch office maintain connectivity with the corporate Lync server located at the headquarters. In the event of a telecommunication failure the WAN link may fail, thereby breaking connectivity between the branch and the HQ.
SBC Edge devices are capable of interoperating with Microsoft's Lync solution for branch survivability in the event of such network failures. An SBC deployed at the branch-site can monitor the network links, identify such failures and switchover to a backup network connection, restoring IP layer connectivity between the branch.and HQ. Thereafter by using the configuration data, voice and data connectivity may be restored between the branch and HQ, taking into account the security of data over the public Internet and the fact that the 3G/4G backup network connection usually has less bandwidth than the WAN link.
Prerequisites
- Licenses: RBA and IPsec license must be installed on the HQ-SBC, and IPsec on the branch office SBA. The IPsec license is bundled with the RBA license.
- Backup Network connection - typically in the form of a 3G/4G/DSL/cable-modem router.
- VLAN Capable Ethernet Switch - If an SBC 1000 is used in the branch-site, there may be a requirement for an external VLAN Capable Ethernet switch, as SBC 1000 has only two Ethernet ports. One such Ethernet port is typically connected to the branch network. The other Ethernet link must be shared for communication with the two gateways (primary WAN, secondary 3G4G) by using tagged VLANs.
- An ASM Module at the HQ-site running the RBA image.
- A functional 3G/4G network, always online (some of the 3G/4G routers disable the cellular uplink in idle conditions).
- The HQ SBC must be reachable on the DMZ without VPN on its WAN-side IP address (this IP address is typically configured as the "remote address" in IPsec tunnel configuration).
- When host monitoring is enabled, the monitored host must be a system in the HQ network. This system is monitored by the Branch SBC using ICMP. Hence the firewall at the HQ must be configured such that the ICMP packet exchange between the Branch SBC and the monitored-host are accepted/forwarded over the 3G network as well as the WAN network.
About the ICMP-Reachability Requirement
We expect that the typical deployment has:
- Branch-SBC monitoring both the primary gateway and the secondary gateway.
- Branch-SBC monitoring a host at the HQ (to help detect failures along the path).
The host must be made reachable with ICMP on both the primary path and the secondary path. Customers networks differ in these aspects (which is of course why we have the beta process). The following two issues may arise:
- If the host is in the DMZ zone, it is reachable through the secondary(3G) path, but may not be reachable through the primary path.
- If the host in the corporate network, it is reachable through the primary path, but may not be ICMP-reachable unless IPsec is setup.
One of the above two scenarios must work, in order for host-monitoring to work. For comparison, at Ribbon/NET, both the examples above work. Hosts in the DMZ zone are reachable on both the paths. Hosts in the corporate network are also ICMP-reachable on both the paths without IPsec/VPN (only ICMP, but for all other protocols, IPsec/VPN is required). We will have to use one of the above two methods at the customer sites to enable/configure host-monitoring.
Configuration
HQ Lync Configuration
A full Lync configuration must be deployed at the HQ location. The following steps must be performed in addition to the usual configuration procedure.
- Create a Policy Profile for the branch.
For example, if the name of the branch is Taveuni, the policy-profile should be appropriately named as TaveuniCAC. The name of the Policy Profile is extremely important and is required when the Branch SBC is configured. - On the Lync server, a subnet is associated with a site. A site is associated with a region. Region-to-region links may then be created and associated with a CAC Profile. These steps must be performed on the Lync server using the standard Lync configuration procedure.
- Configure a PSTN Gateway on Lync using the IP address of the Branch SBC.
- At the HQ Active Directory server used by the Lync setup, the HQ-ASM computer must be made a member of the RTCUniversalServerAdmins group. All CAC updates are performed by the HQ ASM computer with the computer's token and not the user's token.
- While setting the group membership, Group Policy Refresh settings must be verified. Since AD settings are propagated to the domain computers based solely on the AD Group Policy Setting configurations, the HQ ASM might not have the correct permissions immediately. To ensure the proper operation of the HQ ASM in updating the CAC Policy on the Lync server database, the ASM module may require a reboot. The specific settings are: Group Policy Refresh Interval and Turn off group policy refresh.
HQ-RBA (HQ-ASM) Configuration
- In Active Directory the HQ ASM computer (hostname) must be a member of the group RTCUniversalServerAdmin. The membership enables the HQ RBA software to modify CAC profiles on the Lync server's data base.
- The HQ ASM must use the RBA image that is delivered as part of the 3.0.0 release. The deployment steps must involve the following at a minimum.
- Configure IP addressing, DNS servers and default gateways (unchanged from any SBA deployment).
- It must join the same Windows domain as the Lync server (unchanged from SBA deployment). In order to join the domain, a Domain User account is required. This account does not have any special group membership or security requirements. It only needs to be a regular Domain User account.
Branch IPsec Configuration
Create IPsec Tunnel Entry
- Tunnel Activation: Link Monitor Action.
This field indicates that this tunnel is activated/deactivated automatically, when a specific gateway is in use (configured under Link Monitor). - Local address: Any.
- Remote address: HQ SBC's IP address that leads to the Internet. Must be on the DMZ so that it is reachable for setting up the IPsec tunnel.
- Local Subnet Address: Branch subnet.
- Remote Subnet Address: Subnets in the branches that house the Lync and Exchange server.
HQ IPsec Configuration
See Figure Above
- Operating Mode: Responder.
- Local Address: Select the interface leading to the Internet.
- Remote Address: Any.
- Local Subnet Addresses: Choose the subnets that have the Lync server, Exchange server.
- Remote Subnet Addresses: branch subnet(s).
Branch Site CAC Profiles
At the branch site, one CAC Profile must be configured for each of the next-hop gateways.
Lync maintains only one bandwidth policy for each branch. The same name must be used as Lync Profile Name in the CAC Profile.
Create Skype/Lync CAC Profile
The CAC Profile description is a free-form text field. However, the operator should write a concise description such that it identifies the type of the nexthop gateway or the network. For example, one would configure the Lync profile for the Taveuni branch as TaveuniCAC. The CAC Profile description for the MPLS gateway would be Taveuni CAC over MPLS Sprint and for the 3G-gateway, Taveuni CAC over Verizon 3G.
Typically, the CAC Profile associated with the MPLS-gateway enables both video and audio depending on the bandwidth of that link. The CAC Profile associated with the 3G/4G link may enable audio but typically not video as the bandwidth over a cellular WAN link is much lower than a wired WAN link. The audio may be completely disabled on the 3G/4G link so that PSTN/TDM ports are used for the media traffic from Lync calls.
At the HQ, it is still permissible to have a gateway for each of the possible paths into the Internet or to the branch sites. Each gateway must still be associated with a reasonable CAC profile, even though there is no real end-use for configuring CAC profiles at the HQ. The Lync configuration does not use CAC profile information for the HQ, it uses only the CAC profiles associated with the branch sites.
Branch Site Link Monitor
- Configure two default static routes, one for the WAN gateway and one for the 3G/4G gateway.
- Make sure that the Lync setup works between the branch and the HQ over the MPLS WAN gateway.
- Configure two link-monitor entries, one for each of the gateways.
- If a host is monitored in addition to the gateways, then it must be the FQDN or IP address of a host on the HQ network and not on the DMZ network. For example, this can be the FQDN or IP address of the Lync server or the IP address of the HQ SBC on the HQ side (not on the DMZ/Internet side) interface. In more precise terms, the selected FQDN satisfies all the following conditions.
- On a path that does not require IPsec, the monitored host must be reachable without IPsec.
- On a path that requires IPsec, the monitored host must not be reachable unless and until the IPsec tunnel set up. As an example, the monitored host must not be the same as the remote address of a IPsec tunnel in the 3G network.
- On the 3G/4G gateway, associate the IPsec tunnel from branch to HQ.
- Perform a switchover from the WAN link and make sure that the IPsec tunnel is automatically established over the 3g/4g link.
Branch and HQ SIP SG and SIP Server Configuration
- SIP SG between Branch SBC and HQ SBC, and the SIP SG used between Branch SBC and HQ Lync must be in the bind/bind mode. The IP address must be the IP address of the Branch SBC on the branch subnet side. It must not be from the interface leading to the HQ/Internet.
- The SIP SG between HQ SBC to Branch SBC must be in the bind/bind mode. The IP address must be the IP address of the HQ SBC on the HQ subnet side. It must not be the one leading to the branch/Internet.
- (All systems in all branches and HQ know the Branch SBC by its FQDN or by its address on its branch subnet)
- SIP Server Config
- The Branch SBC must use the remote subnet side IP address of the HQ SBC as the SIP server IP address for the SIP SG between the Branch SBC and the HQ SBC.
- The HQ SBC must use the remote subnet side IP address of the Branch SBC as the SIP server IP address for the SIP SG between the HQ SBC and the Branch SBC.
- Federated IP/FQDN - Configuration of this depends on the SIP server configuration. HQ side SIP SG should use the branch subnet as the Federated IP/FQDN and vice versa. The IP addresses of the subnets between the HQ SBC and the Branch SBC should not be used.
STUN Setting
- STUN must be enabled (Media System Configuration) on branch SBC and HQ SBC. It is required for the IPsec feature to work.
Branch Site SIP Notification
- In the SIP SG from Branch SBC to HQ SBC, select Enabled in the Notify CAC Profile list box. This allows the CAC Profile information to be sent as a header in the NOTIFY messages sent from the branch to all SIP servers configured for that SIP SG.
Branch Site PSTN Connectivity
When Lync realizes that the branch-SBC is connected to the HQ over a low-bandwidth link, as identified by the parameters of the CAC Profile, it forwards all Lync calls (from the branch Lync clients) to a different destination, by sending a new INVITE directly to the branch-SBC. In this context, the branch SBC is configured as the PSTN Gateway on the Lync server.
- In order for this to work, SIP signaling groups between the Branch SBCand the the HQ Lync server must use TLS.
- The Branch SBCmust be configured such that the SIP INVITE packets trigger call set up over the PSTN (TDM). Note that all signaling packets to establish such calls are occurring over the 3G/IPsec link, but only the media is rerouted over the PSTN call.
- Typically the branch site has PSTN connectivity over a T1/E1 link or FXO ports.