Item | Description |
---|
Enable ALG Multi-VLAN support | Select the Enable ALG Multi-VLAN support checkbox to support Multiple VLANs with a certificate for VLANs.
This option is visible only if the Enable VLAN support is enabled in the Network page.
|
ALG LAN using VLAN ID | If VLAN support is enabled, you must select a VLAN for the ALG to support. Choose an option from the ALG LAN using the VLAN ID drop-down list. The ALG can only support one VLAN. This feature allows the system to recognize and register a network appliance before it presents the IP telephone or data device through its public WAN port.
This option is visible only if the Enable VLAN support is enabled in the Network page.
|
Enable LLDP | Select the Enable LLDP checkbox to allow the Application Layer Gateway (ALG) to use the Link Layer Discovery Protocol (LLDP) to send periodic broadcasts to advertise information about the sending device. |
LLDP Broadcast Interval | Enter the interval in seconds between each LLDP frame information broadcast. |
TFTP server IP address | Enter the TFTP IPv4 server address to allow the system to act as a TFTP server providing subsequent configuration information to other VoIP phones or devices. |
ALG Settings |
Use ALG Alias IP Address | Select the Enable ALG IP Addressing checkbox and choose one of the following based on your system configuration: • ALG LAN Interface IP Address (IPv4) • ALG LAN Interface IPv6 Address • ALG WAN Interface IP Address (IPv4) • ALG WAN Interface IPv6 Address Note: In some cases, the ALG addresses do not correspond to the addresses of the LAN or the WAN ports. The addresses are alias addresses that have been configured on the ports. In general, you should leave this feature disabled. |
ALG LAN Interface IP Address | Enter the IPv4 address on the LAN that endpoints communicate with. Generally, this is the same as the LAN IP address. |
ALG LAN Interface IPv6 Address | Enter the IPv6 address on the LAN that endpoints communicate with. |
ALG WAN Interface IP Address | Enter the IPv4 address on the WAN that communicates with the softswitch. Generally, this is the same as the WAN IP address. |
ALG WAN Interface IPv6 Address | Enter the IPv6 address on the WAN that communicates with the softswitch. |
NAT Addressing
Configure public and private NAT addressing. |
Public NAT WAN IP address | Enter the public IPv4 address the perimeter security appliance provides for static one-to-one mapping: Public NAT Subscriber IP address—The public IPv4 address that the perimeter security appliance provides for static one-to-one mapping. This allows incoming traffic to the public IP to be translated to the system internal IP. This is typically called a private demilitarized zone (DMZ) which allows devices in this DMZ to be configured with a private RFC 1918 address. The NAT configuration must be a Public IPv4 address configured for a one-to-one NAT translation without any port-mapping to the Video Border Proxy (VBP)-E internal DMZ WAN IPv4 address. |
Private NAT LAN IP address | Enter the private IPv4 address the perimeter security appliance provides for static one-to-one mapping. This allows incoming traffic to the private IP to be translated to the system internal IP. This is typically called a private DMZ which allows devices in this DMZ to be configured with a specific DMZ internal address. The NAT configuration must be an IPv4 address configured for a one-to-one NAT translation to the VBP-E internal DMZ LAN IPv4 address. Typically, this interface is not placed in a NAT environment but can be used in advanced security scenarios. |
Client and Media Settings |
Do strict RTP source check | Select the Do Strict RTP Source Check checkbox to protect against specific Real-time Transport Protocol (RTP)-based denial-of-service attacks and controls address network based gateways that periodically continue to send an RTP stream after a call ends. If the source of an inbound RTP stream does not match the IP address and port for an existing outbound RTP stream, it is assumed that the inbound stream is “rogue RTP.” When rogue RTP is detected, a syslog message is generated and the inbound stream is dropped. |
Enable Client List lockdown | Select the Enable Client List Lockdown checkbox to prevent new clients from registering. Note: You must first configure the Client List. Choose VoIP > Client List and refer to Configure the Clients List. Caution: Do not use Client List Lockdown and Allow Shared Usernames at the same time. |
Allow Shared Usernames | Select the Allow Shared Username checkbox to allow multiple clients to register using the same username. A new entry and a unique contact field are generated for each client. Caution: Do not use Client List Lockdown and Allow Shared Usernames at the same time; new phones using an existing username will not be added to the Clients List and will fail to work. |
Strip G.729 from calls | Select the Strip G.729 From Calls checkbox to improve codec compatibility for legacy and newer networks by removing all references to the G.729 in codec lists for calls made using SIP. The codecs in the signaling protocols are listed in the session description protocol (SDP). When you enable the G.729 feature, the codecs are removed from the SDP. |
SIP Port Settings Configure UDP, TCP and TLS related parameters for SIP. Refer to Configure SIP Port Settings. |
UDP System Port | Specifies the ports on which the system listens for SIP over UDP messages from SIP clients. To specify multiple UDP ports, separate each port with a comma. Default is “5060,5070,5075.” |
REGISTER restricted to port | Specifies that REGISTER requests will only be processed on the specified port if set to a non-zero port number that matches one of the specified UDP Inbound ports. REGISTER messages sent to other SIP ports are logged and discarded without further processing. When set to zero, REGISTER requests are processed normally on all configured SIP ports and connections. Default is 0. |
UDP System Source Port | Specifies the source port to use when sending SIP over UDP messages to the SIP Server. The system also listens for SIP messages on this port, similar to the Client Listening Ports. Default value is 5060. |
Block UDP support on WAN | When enabled, WAN ingress will be disabled for SIP UDP. |
TCP System Port | Specifies the port on which this device will listen for SIP over TCP connection requests. Enter any valid TCP port. Default value is 5060. |
TCP Connection Timeout (m) | Sets the amount of inactive time. The system monitors all TCP connections and if there is no activity on any connection for a specified amount of time, that connection is closed. Minimum value is 4 minutes. |
Block TCP support on WAN | When enabled, WAN ingress will be disabled for SIP TCP. |
TLS System Port | Specifies the port on which this device will listen for SIP over TLS connection requests. Enter any valid TCP port. The TLS port cannot be the same as the TCP port. |
TLS Protocol | Allows you to choose a TLS protocol. The following options are available: - TLSv1.2: Allows only TLS protocol version 1.2 (RFC 5246)
- TLSv1.3: Allows only TLS protocol version 1.3 (RFC 8446)
|
Use only selected version | When enabled, only the particular TLS protocol that is selected can be used without supporting the higher versions.
|
Ciphers String | Adds or restricts the cipher suites offered by this device during a TLS handshake. See Ciphers for detailed description of the format for this string. |
LAN Certificate | The X.509 certificate for the interface in PEM format. The certificates are loaded using the Security > Certificates page. Make sure that the common name (CN) in the certificate matches the domain name or IP of the interface. |
LAN Policy | Peer certificate verification policy: - No check — The peer certificate is not verified.
- Verify if provided — Send a client certificate request to clients but continue handshake if the client does not return a certificate. Fail if certificate is returned and the verification fails.
- Require and Verify — Send a client certificate request to clients and continue only if the client sends a certificate and the certificate verification succeeds.
- Require and Verify Once — Same as Require and Verify except that client certificate requests are not sent during renegotiation.
|
WAN Certificate | The X.509 certificate for the interface in PEM format. The certificates are loaded using the Security > Certificates page. Make sure that the common name (CN) in the certificate matches the domain name or IP of the interface. |
WAN Policy | Peer certificate verification policy: - No check — The peer certificate is not verified.
- Verify if provided — Send a client certificate request to clients but continue handshake if the client does not return a certificate. Fail if certificate is returned and the verification fails.
- Require and Verify — Send a client certificate request to clients and continue only if the client sends a certificate and the certificate verification succeeds.
- Require and Verify Once — Same as Require and Verify except that client certificate requests are not sent during renegotiation.
|
Block TLS support on WAN | When enabled, WAN ingress will be disabled for SIP TLS. |
Exclude sips headers for TLS Transport | When enabled 'sip' uri scheme will be used in translated SIP message. This option is available only for TLS transport. |
Set TLS source port | When enabled, the EdgeMarc uses its listening port as a TLS source port for the egress connections. |
NAT Traversal: This feature is only available on 2900, 4700, 4800, 4552v2 and 6000 platforms. |
Disabled | NAT Traversal for SIP will be disabled. |
RFC-3581 | With RFC-3581 support, the system will insert report in the outbound SIP messages to the softswitch. RFC-3581 is to resolve failed SIP response problem in a NAT environment. It is recommended that “Use RFC3581 UAS response for signaling modification” should be checked when RFC-3581 is selected. For media to work properly, it requires symmetric RTP support on the media server or one to one port mapping on the NATing router. When RFC-3581 is selected, user should configure keep-alive logic in Survivability page. Recommended keep-alive interval is 30 seconds. The interval may vary for different NATing routers. |
STUN | The System will enable STUN to support NAT traversal for both SIP signaling (UDP only) and media. When STUN is selected, user should configure the “STUN Server” settings and keep-alive logic in Survivability page. Recommended keep-alive interval is 30 seconds. The interval may vary for different NATing routers. |
B2BUA Options Configure B2BUA options. |
Route all SIP signalling through B2BUA | This option enables all SIP messages to be processed by B2BUA. |
Enable Microsoft Feature | Selecting this setting enables all Microsoft related feature logics. For example, Allow WAN side B2BUA trunking device, Response OPTIONS messages from MSFT servers, Insert PTime attribute in SDP body, and so on. |
Enable Comfort Noise Generation (CNG) | This option enables the Comfort Noise Generation (CNG) engine to stay in the RTP media path and perform the translation of comfort noise packets between the two end points. |
Enable User-Agent header pass-through | Select this option to pass the User-Agent header from ingress SIP message to the egress SIP message when routed via B2BUA. When disabled, B2BUA inserts a system generated custom string in the User-Agent header of the egress SIP request message. This has no effect on SIP messages processed via ALG. |
B2BUA Redirect Support (302) | If enabled, EdgeMarc processes the 302 Response and sends an INVITE request to the number obtained from the Contact header (except for FQDN in the Contact header). When this is disabled, EdgeMarc translates 302 Response back to the caller. By default, it is enabled. |
PANI Header Refer to Configure PANI Header Settings. |
Enable PANI Header Support | If enabled, EdgeMarc will add PANI (P-Access-Network-Info) header in all requests and response (except ACK and CANCEL requests and response). By default it is disabled. |
Access Type | Specifies information about the access network used and its value is updated as per the RFC 7315. Default value is "IEEE-802.11". |
Access Info | Aditional information about the access network used. Access Info is selected as location-info. The location-info is then updated with EdgeMarc LAN/WAN IP. Note: Format for PANI header with location info is: P-Access-Network-Info: Access Type;"location-info=EdgeMarc LAN/WAN IP";"ue-ip=EdgeMarc LAN/WAN IP";"ue-port=5060". |
Access Info String | This string is updated according to the value of Access Info. Access Info String field is not configurable when user selects access info as "np" or "location-info". If Access info is selected as "np", then Access Info String is automatically set to "network-provided". |
Session Timer SIP provides a mechanism by which both user agents and proxies can determine whether a given SIP session is still active. |
Enable B2BUA Session Timer Support | This option enables support for session refresh when EdgeMarc acts as a B2BUA, and this is required to follow the SIP trunk service specification. The RE-INVITE or UPDATE requests are provided to allow a periodic refresh of SIP sessions. |
Session Refresh Interval (s) | System sends refresh INVITE on this configured session expiry interval for keeping the session alive. System uses this value only when it acts as a refresher. The default value is 90 seconds. |
Media Security: Configure SRTP and MKI support. |
Enable SRTP support | This option enables SRTP support globally in the device. |
Enable MKI support | This option enables support for Master Key Identifier (MKI) parameter in SRTP crypto attribute. This option is available only when Enable SRTP support is enabled. |
SRTP key lifetime | Specifies the key lifetime, measured in the number of packets that can be used with this key before it should be replaced with a new key. |
H.225 and H.245 Port Range | Configure the range of TCP ports to use for handling H.225 and H.245 TCP connections. Specifies the range of Transmission Control Protocol (TCP) ports to use for handling H.225 and H.245 TCP connections. If there is a firewall in front of the system, that firewall must allow TCP connections to this range to reach this system. A smaller range means that less ports must be opened on the firewall; however, each H.323 call may require up to 3 ports each and if the range is too small, the number of H.323 calls that the system can process may be restricted. Port numbers specified are inclusive: Range is 10000 to 65535, default values are 14085 to 15084. The range must contain a minimum of 999 ports. |
RTP Port Range | Configure an RTP port range for non-translated RTP MOS scoring and traffic shaping. This licensed option allows you to MOS score a non-SIP call and prioritize traffic over these ports to the far end. Without this setting, voice traffic over the IPsec VPN tunnel will not be prioritized and you may experience choppy audio. Port numbers specified are inclusive and are limited and checked against the platform the licensed number of calls allowed. The minimum number of ports required is two times the number of licensed streams or the Call Admission Control (CAC) value from the Traffic Shaping page, whichever is smaller. Choose Network > Traffic Shaper and refer to Configuring Traffic Shaping. While the minimum number of ports is two per stream, some endpoints may open multiple streams. For H.323 calls, the number of ports per call depends on the number of individual RTP streams the endpoints may use. In some cases, an H.323 client may request a separate stream for video, audio, content sharing, and data/camera control. In that case, eight ports are needed per H.323 endpoint. Enter ports to be scored as comma-separated port numbers or ranges of port numbers. For example: 2000,30000-32000,40002,45000-46000. Note: This option is available only on some versions of VOS with a special license. |
RTP Packetization Time (ms) | When this setting is configured, the system inserts the attribute a=ptime: value in the SDP messages with a default setting of 20(ms) if ptime attribute does not exist in the SDP body. Note: This is a Microsoft Feature. It takes effect when Enable Microsoft Feature is enabled. |
Enable Multi-ports | With this option enabled, EdgeMarc will allocate unique source port for each client from the configured range when it is translated through the WAN interface. The following functionalities will not be supported with this feature.- B2BUA calls
- TLS Transport between SIP Server and EM WAN
- IPv6 between SIP Server and EM WAN
- High Availability
Note: This feature is currently restricted to just hosted clients. |
Multi-port Port Range | Specifies range of ports from which the device will assign unique WAN source port for each hosted clients. The range should be between 22000 and 65535 (including both) and the total number of ports should be less than or equal to maximum phones supported on the device. This value should also not overlap with RTP and H.225/H.245 port range. |
Prioritize Microsoft Teams Selecting this settings allows Microsoft Teams traffic to be prioritized and MoS scored, so that calls are not hampered by bandwidth. Default ports provided by Microsoft are taken into consideration for the shaping and scoring. |
Allow non-translated RTP to be MOS scored |
RTP range to MOS score | If RTP for a non-translated protocol should be MOS scored and traffic-shaped, enter the RTP port range in which the system should listen for RTP. Enter ports to be scored as comma-separated port numbers or ranges of port numbers. For example: 2000,30000-32000,40002,45000-46000 Note: This option is available only on some versions of VOS. |
Calculate Round-Trip-Time Enables Round-Trip-Time (RTT) calculation. RTCP packets, LSR, and DLSR values are used to calculate an RTT value for each RTP stream. RTCP packets can be sent on behalf of phones if they do not send RTCP themselves. |
Calculate Round-Trip-Time | Select the Calculate RTT checkbox to enable the feature. |
RTCP MUX Support This option enables RTCP multiplexing on inbound calls. This helps to establish bi-directional audio calls. |
Bandwidth Settings for H.323 The maximum bandwidth to be used. The total bandwidth is counted as RTP payload plus IP header overhead, for example, the actual link bandwidth set aside for RTP streams. The per-call bandwidth is the RTP payload bandwidth only, for example, the value used in the client to specify the bandwidth of the call. See Configuring Bandwidth Settings for H.323. Note: Only EdgeProtect supports H.323. Please note that EdgeMarc does not support H.323. |
ALG registration | Displays current ALG registration status. The registration status for the ALG feature is displayed to ensure that the feature is enabled. If the feature is not registered, no calls will be allowed to pass. Note: The ALG registration code is available on a sticker on the bottom of the device or from your service provider. To view your license key, click the license key link provided to access the License page or choose Admin from the Configuration Menu and click the license key link in Registration Status. Refer to Manage the License Key. |