Table of Contents

Document ID: 550-06291

Software Release: 10.01R004

Document Version: 02.01

Published:  

Click

here
to download a PDF version of this document.


Note

To submit recommendations for changes or comments, email Richard Travis, Ribbon Program Manager at rtravis@rbbn.com

Revision History

Document
Version

Date

Editor

Details

V1.1

15 October 2014

Ribbon Federal

Initial

V1.2

15 October 2014

Ribbon Federal

Reformatted guide

V1.32014Ribbon FederalEdited Initial Config., step 4d.
V2.012 January 2015Ribbon Tech PubsReplaced contact name in Intro section
V3.01 September 2017Ribbon Tech PubsUpdated for release 5.1 and to include SBC SWe in the list of SBC platforms
V4.01 September 2017Ribbon Tech PubsUpdated CONDITIONS of Fielding section.
V5.020 October 2017Ribbon Tech PubsUpdated published date and SW version per DTR 1
V6.031 August 2018Ribbon Tech PubsUpdated company name, page title, published date, and Conditions of Fielding per DTR2. This guide is revised to support SBC SWe TN 163401 DTR2 and SBC 5x10 TN 1314804 DTR2
V7.010 September 2019Ribbon Tech PubsUpdated 5.1.2 PDF filenames to 6.2.2 and 6.2.1. Also updated Installation, Initial Configuration, Procedure, and Conditions of Fielding section.
V8.016 September 2019Ribbon Tech PubsAdded step to the Initial Configuration procedure
V9.020 December 2019Ribbon Tech PubsRepublished guide to align with the latest test efforts. No material changes made.
V10.026 May 2020Ribbon Tech PubsRepublished guide to reflect updated publication date. No material changes made.

V11.0

21 August 2020Ribbon Tech PubsRepublished guide to reflect updated publication date and release update from 6.2.3 to 7.2.1. No material changes made.
V12.0

 

Ribbon Tech PubsRelease update to 7.2.5R002. 
Added note regarding SBC SWe on VMware.
V15.0

Ribbon Tech PubsAdded Related articles section. Added specific links to installation and configuration of the SBC (CLI and EMA methods). Added CLI configuration code blocks for reference.
V16.0

 

Ribbon Tech PubsUpdated the images and procedure. Provided links to the latest 7.2 version of the documents.
V17.0

 

Ribbon Tech PubsUpdated the images and procedure. Provided links to the latest 10.01 version of the documents.
V17.1

 

Ribbon Tech PubsAdded steps for command Zone - Block Direction - CLI.
V02.01

 

Ribbon Tech PubsChanged to new versioning schema: from V17.1 to V02.01

Conditions of Fielding

Users must reference and follow the Conditions of Fielding (COF) found in the Information Assurance Assessment Report/Cybersecurity Assessment Report (IAAR/CAR).

Links to Installation and Configuration 


Installation

The links below are the starting points for all elements of installation and configuration of a Ribbon SBC. Follow the "First Steps" guidance for the platform you are installing. Each step has supporting documentation links that will take you from Network Planning to the start of configuration.


Items Unique to a U.S. Federal and DoD Deployment

Once the SBC hardware or virtual machine is up and running and the SBC application code is installed, configure the SBC application.
You can configure the SBC application through any of the following methods:

1.The Command Line Interface (CLI). For more information, refer to the CLI Reference Guide.
2.The GUI-based Embedded Management Application (EMA). For more information, refer to the EMA User Guide.

Any configuration accomplished in one format can also be accomplished in the other. For experienced individuals familiar with the system, the CLI is often faster but less intuitive. The following items have specific parameters and requirements for the US Federal and DoD configurations. 
These specific parameters come from a variety of sources such as the DoD UCR, Security Technical Implementation Guides (STIGs), and Security Requirements Guides (SRGs).
For brevity, the examples are provided in the CLI format. However, you can also perform all the example commands through the EMA UI.

After the unit is commissioned and turned over to the customer, CLI is no longer available. 

SWe Deployments

esxi Guest tags

The SWe is a VMware compatible and as such, relies on certain VM tags being configured within the ESXi environment.

Please ensure these tags are applied to your Guests vmx file to be compliant with the ESXi VMGuest STiG.  

vmci0.unrestricted = "FALSE"
isolation.monitor.control.disable = "TRUE"
isolation.bios.bbs.disable = "TRUE"
isolation.ghi.host.shellAction.disable = "TRUE"
log.rotateSize = "100000"
log.keepOld = "10"
isolation.device.connectable.disable = "TRUE"
isolation.device.edit.disable = "TRUE“
RemoteDisplay.maxConnection = "1"
vmsafe.enable = "FALSE"
isolation.tools.autoInstall.disable = "TRUE"
isolation.tools.copy.disable = "TRUE"
isolation.tools.dnd.disable = "TRUE"
isolation.tools.setGUIOptions.enable = "FALSE"
isolation.tools.paste.disable = "TRUE”
isolation.tools.diskShrink.disable = "TRUE"
isolation.tools.diskWiper.disable = "TRUE"
isolation.tools.hgfsServerSet.disable = "TRUE"
isolation.tools.getCreds.disable = "TRUE"
isolation.tools.memSchedFakeSampleStats.disable = "TRUE"
isolation.tools.ghi.protocolhandler.info.disable = "TRUE“
isolation.tools.dispTopoRequest.disable = "TRUE”
isolation.tools.trashFolderState.disable = "TRUE”
isolation.tools.ghi.trayicon.disable = “TRUE”
isolation.tools.unity.disable = "TRUE“
isolation.tools.unityInterlockOperation.disable = "TRUE"
isolation.tools.unity.push.update.disable = "TRUE“
isolation.tools.unity.taskbar.disable = "TRUE"
isolation.tools.unityActive.disable = "TRUE"
isolation.tools.unity.windowContents.disable = "TRUE"
isolation.tools.vmxDnDVersionGet.disable = "TRUE"
isolation.tools.guestDnDVersionSet.disable = "TRUE"
isolation.tools.vixMessage.disable = "TRUE"
tools.setinfo.sizeLimit = "1048576"
tools.guestlib.enableHostInfo = "FALSE“
isolation.tools.ghi.autologon.disable = "TRUE"
isolation.tools.ghi.launchmenu.change = "TRUE"
floppy0.present = “FALSE”
logging = “FALSE
isolation.ghi.host.shellAction.disable = “TRUE”


Login Banner

The Federal Government requires a user warning and acknowledgement prior to logging into any security controlled system. The following 
instructions accomplish this task:

  • Modify Pre-Login Banner to DoD Warning
  • Require Banner acknowledgment prior to login

From the EMA

Application Management is a new tool that provides the capability to manage many security-related system settings.

On SBC main screen, navigate to Administration > Users and Application Management > Application Management.

The "Application Management" window displays.

  1. Enable Show Login Banner option to display all fields.
  2. Enable Require User to Acknowledge Banner before Logging in option to receive acknowledgement from the users every time they try to login.
  3. Enter your text that should be displayed as Banner in the text box next to Banner Text option.

Once the changes are saved, the Banner text will displays on the login screen.

From the CLI

config
set system admin USNASMSWe01 banner bannerText "<DoD Login Warning>"
set system admin USNASMSWe01 banner ackBanner enable
commit


CAC/RADIUS

From the CLI

1. Configure the SBC EMA for local Password Authentication and/or Remote (RADIUS).

    Login as admin and enter the following:

#config
#set oam ema clientAuthMethod usernamePasswordOrPkiCert
#commit


2. Configure the OAM administrative User(s) ‘Access Type’ for password or PKI/CAC authentication:

        [can this be done cli?]

3. Configure the SBC for RADIUS Server access and connectivity:

set oam radiusAuthentication radiusServer <Server Name> priority <Value>
set oam radiusAuthentication radiusServer <Server Name> state <enabled/Disabled> 
set oam radiusAuthentication radiusServer <Server Name> radiusServerIp <IP addr>
set oam radiusAuthentication radiusServer <Server Name> radiusServerPort <Port>
set oam radiusAuthentication radiusServer <Server Name> radiusNasIp <Source IP>
set oam radiusAuthentication radiusServer <Server Name> radiusSharedSecret <Password>
set oam radiusAuthentication radiusServer <Server Name> mgmtInterfaceGroup <Interface Name>
set oam radiusAuthentication radiusServer <Server Name> authenticationMethod <pap|peapmschapv2>

From the EMA

1. Configure the SBC EMA for local Password Authentication and/or Remote (RADIUS):

    a. On the SBC main screen, navigate to administration > Users and Application Management > EMA 
    b.  Click the Client Auth Method dropdown list and then select username or PKI cert and click Save

2. Configure OAM administrative User(s) ‘Access Type’ for password or PKI/CAC authentication:

   a. On the SBC main screen, navigate to Administration > Users and Application Management > User and Session Management.

   b. Select your user and scroll down to Account type and then select Password or Public Key/CAC Card Only and Save.
   c. Navigate to Administration > User and Application Management > User and then Session Management > Public Key Authentication.
   d. Complete the page with your public key information.

The RSA public key must be at least 2048 bit strength in one of the following formats: PEM, PKCS8, RFC4716, OpenSSH

3. Configure the SBC for RADIUS Server access and connectivity.

    a. From the SBC main screen, go to administration > Users and Application Management > Radius Authentication > Radius server
    b. Select a new server and configure for your RADIUS server.        

You can configure up to three RADIUS servers per SBC. The new Radius server option is not available once three servers are configured.
     

FIPS Mode

The SBC deployments in the US Federal Government require Federally complied encryption methods. FIPS-140-3 is the most current version and devices complied by the National Institute of Standards and Technology (NIST) are referred to as “FIPS Complied.” When FIPS Mode is enabled on the system it means that any protocol or encrypted data within a system will use the FIPS complied Encryption Module. FIPS mode is a requirement for the SBC to connect to any DoD network. The "FIPS Mode" will force certain parameter requirements in order to be compliant. For example, when TLS and SRTP are selected, TLS version 1.2 is only allowed. 1.0, and 1.1 are no longer available. Only a sub-set of SRTP cipher suites is available under FIPS Mode.

For more details on FIPS and the processes to enable: Users and Application Management - Fips-140-2.

Notes
  • If SNMPv3 was configured prior to switching to FIPS mode, you must disable it prior to switching to FIPS mode and then reconfigure it again after enabling the FIPS mode.
  • SBC Core 10.1.x supports FIPS 140-2.

From the CLI

Enter the following command:

set system admin <systemName> fips-140-3 mode <Disable | Enable>


 From the EMA 

  1. From the SBC home screen, go to All> System >  Admin > fips-140-3.
  2. Choose the state of FIPS on your SBC.

Disabling FIPS will default the unit, erasing configuration information as well as certificates.


SNMPv3

2.1 Disable SNMPv2:

set oam snmp trapTarget emaTarget ipAddress 127.0.0.1
set oam snmp trapTarget emaTarget port 8162
set oam snmp trapTarget emaTarget trapType v2
set oam snmp trapTarget emaTarget targetUsername admin
set oam snmp trapTarget emaTarget targetSecurityLevel noAuthNoPriv
set oam snmp trapTarget emaTarget state disable
commit


        
2.2 Reconfigure SNMP v3:

set oam snmp communityString admin snmpCommunityName admin
set oam snmp communityString guest snmpCommunityName guest
set oam snmp communityString operator snmpCommunityName operator
set oam snmp version v3
set oam snmp localEngineId 80:00:0b:3f:03:00:0c:29:16:f8:9a
set oam snmp securityLevel authPriv
set oam snmp users admin group admin
set oam snmp users admin authProtocol hmacsha
set oam snmp users admin authKey 00:00:00:00:00:00:00:00
set oam snmp users admin privProtocol aes128
set oam snmp users admin privKey 00:00:00:00:00:00:00:00
set oam snmp users guest group guest
set oam snmp users guest authProtocol hmacsha
set oam snmp users guest authKey 00:00:00:00:00:00:00:00
set oam snmp users guest privProtocol aes128
set oam snmp users guest privKey 00:00:00:00:00:00:00:00
set oam snmp users operator group operator
set oam snmp users operator authProtocol hmacsha
set oam snmp users operator authKey 00:00:00:00:00:00:00:00
set oam snmp users operator privProtocol aes128
set oam snmp users operator privKey 00:00:00:00:00:00:00:00
commit


 DoD Mode

 DoD mode increases the security posture of the system by disabling certain accessibilities to the system, namely the CLI command access and Platform Manager on the Active system. Platform Manager is still available on the standby component of an HA pair. For troubleshooting purposes, you can enable CLI and PM from within the EMA, but as noted above and within the documentation, this reduces the security posture of the system.
 

From the CLI

set system admin <SYSTEM NAME> dod mode <disabled | enabled>
set system admin <SYSTEM NAME> cliAccess <disabled | enabled>
set system admin <SYSTEM NAME> pmAccess <disabled | enabled>
commit


    

From the EMA 

  1. On the SBC main screen, navigate to All > System > Admin > Dod. 

  2. From here you can enable dod mode, pm access and CLI access as desired. 


DoD PKI Certificates

DoD has its own global Certificate Authority and therefore is the only issuer of certificates for all DoD PKI enabled devices. You can use most of the devices that support PKI certs to generate Certificate Requests (CSRs), but you must submit all CSRs to the DoD CA for certificate issue. The DoD CA will issue the certificates in base-64 encoding. Since most devices use a PEM format and a private key, the certificates will need to be converted to either PEM, DER or P12 (with embedded private key). There are a number of tools for doing the conversion. The most common tool is openssl and the x509 commands. DoD mode can affect how certs are applied. For additional details on importing certificates into the SBC, refer to Generating PKI Certificates.

DISA SIP Trunk

There are three primary areas of SIP Trunking configuration for connecting to a DISA SIP Trunk. These areas are Policy, Signaling, and Media. 

There are additional Packet Service Profile elements for Media handling and IP Signaling Profiles.


From the CLI

The following CLI commands are for the non-Default values for SIP Trunking to DISA.


set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>state enabled
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>mode inService
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy sipDomain UC.MIL
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy callRouting elementRoutingPriority Default_IP
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy media packetServiceProfile BLK_PSP
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>policy signaling ipSignalingProfile <Site Specific IPSP>
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>signaling messageManipulation outputAdapterProfile <Site Specific SMM>
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media lateMediaSupport passthru
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media mediaIpInterfaceGroupName <Site specific Interface Group Name>
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media mediaPortRange baseUdpPort 16384
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>media mediaPortRange maxUdpPort 32764
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>ingressIpPrefix <DISA SBC Peer IP>
set addressContext <DEFAULT> zone <SITE SPEC ZONE NAME>sipTrunkGroup <SITE SPEC TG NAME>ingressIpPrefix <Alt DISA SBC Peer IP>


From the EMA

  1. Navigate to Configuration > System Provisioning  > Trunk Group > Sip Trunk Group.
  2. Select or create your site specific trunk group, both enabled and in service. 
  3. Navigate to Configuration > System Provisioning  > Trunk Group > Sip Trunk Group > Policy.
  4. Complete the sip domain field and then click Save.
  5. Navigate to Call Routing and then select Default_ip and Save.
  6. Within the Policy subfolder, navigate to Media, select your site specific Packet Service Profile and then click Save
  7. Under Media is Signaling, assign your site specific IPSP.
  8. From the home screen, navigate to Configuration > System Provisioning  >Trunk Group > Sip Trunk Group > Signaling > Message Manipulation.
  9. Assign your site specific SMM profiles. 
  10. Navigate to Configuration > System Provisioning  > Trunk Group > Sip Trunk Group > Media. 
  11. Set late media support to passthru. 
  12. Assign a media ip interface group name.
  13. Navigate to Configuration > System Provisioning  > Trunk Group > Sip Trunk Group > Media > Media Port Range.
  14. Assign base UDP port to 16384, and max UDP port to 32764.
  15. Navigate to Configuration > System Provisioning  > Trunk Group > Sip Trunk Group > Ingress ip prefix.
  16. Assign a DISA SBC ip peer address, and an alt DIS SBC peer IP.

Packet Service Profile (PSP)

The Ribbon SBC Packet Service Profile is used to adjust the commonly known media and media policy elements that vary between the SIP 
protocol vendors.



EMA Packet Service Profile - Video Calls
CLI: Packet Service Profile - CLI
Packet Service Profile Video Calls - CLI
set profiles media packetServiceProfile <unique_profile_name> videoCalls
audioOnlyIfVideoIsPrevented <disable | enable> Default = Enable
codecListProfile <name> Default = Blank
 ieee8021QVLanCos <0-7> Default = 0
 ipv4Tos <0-255> Default = 0 
ipv6TrafficClass <0-255> Default = 0
 maxVideoBandwith <0-50000 kbps> Default = 0 recommend 6000
 videoBandwidthReductionFactor <0-100> Default = 0 Recommend 10


From the EMA

Navigate to All> Profiles > Media > Packet Service Profile > Video Calls.

All of the fields in the above commands are present and configurable here. 



IP Access Control/Access Control List(ACL) Implementation

The purpose of the ACL Feature is to first, Deny and then Allow users and Services(NTP, Radius, syslog, ect) to secure the Management ports of the SBCs via IP Address.  This is done by first, assigning the Allow address/protocols/ports then locking down the overall system by assigning the DENY action to the system.  In this manner, we DENY anything not in the ALLOW list.

From the EMA

1. Navigating the SBC EMA for IP Access Control:

    a.   Login to the SBC EMA screen and navigate to Configuration > Security Configuration and IP Access Control List(open pulldown) > Rule 
    b.   Select the correct Address Context from the system. 
            The screen will show existing rules and from here New Rules can be added.  
    

2. Adding a New Access Rule:

    a.   Navigate to the IP Access Control List(open pulldown) > Rule section of the EMA, 
    b.   Select the correct Address Context from the system. 
    c.   Click on the + New Rule button.   
    f.   Scroll down to the Create New Rule  
    g.   Proceed to configure the New Rule
    d.   Scroll down to the Create New Rule 


Example of New Rule Screen:

2b. Access Rule fields

    a.  Name (up to 23 characters)
         b.  The characters #%^&(){}<>,/\;`[]=!$"*?|~ and SPACE are not allowed.
    c.  Precedence*(1 - 65535)
         d.  The precedence of this access control list rule.
    e.  Protocol  (icmp or tcp or udp or icmpv6 or ospf or any or 0 - 255)
         f.  The IP protocol type. 
    b.  IP Interface Group
         c.  The name of a IP interface group(IPIG) to match.
    d.  IP Interface
         e.  The name of an IP interface to match  
    f.  Mgmt IP Interface Group  (Normally used: Covers all Mgmt interfaces)
         g.  The name of a MGMT IP interface group to match.      
    b.  Mgmt IP Interface (can be used for individual Mgmt interfaces)
         c.  The name of a MGMT IP interface to match.
    d.  Source IP Address
         e.  The source IP address to match.  
    f.  Source Address Prefix Length(0 - 128)
         g.  The length of source IP address prefix which must match.      
    b.  Destination IP Address 
         c.  The destination IP address prefix to match.
    d.  Destination Address Prefix Length (0 - 128)
         e.  The length of destination IP address prefix which must match.  
    f.  Source Port(any or 0 - 65535)
         g.  The source port to match. 
    b.  Destination Port(any or 0 - 65535) 
         c.  The destination port to match.
    d.  Action
         e.  Accept/Discard/Unconditional Deny  
         f.  The action to take when this rule is matched.  
    g.  Fill Rate 
         b.  (unlimited or 1 - 32000) 
         c.  The policing fill rate (in pkts/sec) set to 50 pkt/sec as default value
    d.  Bucket Size
         e.  (unlimited or 1 - 255)  
         f.  The policing bucket size (in pkts). Set to 50 pkt if not specified by operator.  
    g.  State   
         b.  Disabled/Enabled
         c.  Administrative state of the IP access control list rule.
    d.  Aggregate Policer
         e.  name of aggregate policer associated with.  
    f.  Min TTL    
         g.  (0 - 255) 
         b.  The minimum TTL for BFD Support 

Example of completed 'Allow' rule
 

Example of Deny-All rule (required)



Zone Block Direction

The blocking function restricts sending out SIP requests outside an existing dialog from your network to an opposite network, but does not restrict sending in-dialog requests to the opposite network. Incoming SIP requests are not restricted, and test calls are sent to the opposite network even when the blocking state is OUTGOING.

Command Syntax

Use this command to block incoming /outgoing calls based on the selected direction.

Note

Unless annotated otherwise, the parameter values in this section apply to the SBC Core.

% set addressContext <adddress context name> zone <zone name> ipPeer <ippeer name> blockDirection <bothways | incoming | none | outgoing>


Command Parameters

Parameter

Description

blockDirection

The Block Direction options include:

  • bothways – This trunk group blocks calls in both directions.
  • incoming – Calls inbound to this trunk group are blocked.
  • none (default) – No calls are blocked by this trunk group.
  • outgoing – Calls outbound from this trunk group are blocked.