© 2021 Ribbon Communications Operating Company, Inc. © 2021 ECI Telecom Ltd. All rights reserved. The compilation (meaning the collection, arrangement and assembly) of all content on this site is protected by U.S. and international copyright laws and treaty provisions and may not be used, copied, reproduced, modified, published, uploaded, posted, transmitted or distributed in any way, without prior written consent of Ribbon Communications Inc.
The trademarks, logos, service marks, trade names, and trade dress (“look and feel”) on this website, including without limitation the RIBBON and RIBBON logo marks, are protected by applicable US and foreign trademark rights and other proprietary rights and are the property of Ribbon Communications Operating Company, Inc. or its affiliates. Any third-party trademarks, logos, service marks, trade names and trade dress may be the property of their respective owners. Any uses of the trademarks, logos, service marks, trade names, and trade dress without the prior written consent of Ribbon Communications Operating Company, Inc., its affiliates, or the third parties that own the proprietary rights, are expressly prohibited.
This document depicts the configuration details for Ribbon SBC Edge interworking & compliance against Deutsche Telekom CompanyFlex SIP Trunking solution.
The Ribbon Session Border Controller provides best-in class communications security. The Ribbon SBC Edge dramatically simplifies the deployment of robust communications security services for SIP Trunking.
Deutsche Telekom is a telecommunications company that offers a range of fixed-network services, such as voice and data communication services based on fixed-network and broadband technology, and sells terminal equipment, other hardware, and services to resellers.
This document provides configuration best practices for deploying Ribbon's SBC 1000/2000 and SWe Lite series when connecting with Deutsche Telekom CompanyFlex. Note that these are configuration best practices, and each customer may have unique needs and networks. Ribbon recommends that customers work with network design and deployment engineers to establish the network design which best meets their requirements.
It is not the goal of this guide to provide detailed configurations that will meet the requirements of every customer. Use this guide as a starting point and build the SBC configurations in consultation with network design and deployment engineers.
This is a technical document intended for telecommunications engineers with the purpose of configuring both the Ribbon SBC and the third-party product. Navigating the third-party product as well as the Ribbon SBC Edge GUI is required. Understanding the basic concepts of TCP/TLS, IP/Routing, and SIP/RTP/SRTP is also necessary to complete the configuration and any required troubleshooting.
The following aspects are required before proceeding with the interop:
Any IP-PBX which is SIP Connect 2.0 Compliant can be deployed with Ribbon SBC Edge. For this interop testing we have used CUCM 12.5 which is SIP Connect 2.0 Compliant.
During this interop, the SIP Trunk between Deutsche Telekom and Ribbon SBC Edge has been configured with TLS and SRTP.
The configuration uses the following equipment and software:
Refer to the following document for installing the Ribbon SBC Edge: Installing SBC 1000/2000.
Open any browser and enter the SBC IP address.
Click Enter and log in with a valid User ID and Password.
This section describes how to view the status of each license along with a copy of the license keys installed on your SBC. The Feature Licenses panel enables you to verify whether a feature is licensed, along with the number of remaining licenses available for a given feature at run-time.
From the Settings tab, navigate to System > Licensing > Current Licenses.
For more details on Licenses, refer to Ribbon SBC Edge Licenses.
A Trusted CA Certificate is a certificate issued by a trusted certificate authority. Trusted CA Certificates are imported to the SBC SWe Lite to establish its authenticity on the network.
From the Settings tab, navigate to Security > SBC Certificates > Trusted CA Certificates.
This section describes the process of importing Trusted Root CA Certificates, using either the File Upload or Copy and Paste methods.
Follow the above steps to import the Service Provider's (Deutsche Telekom) Root and Intermediate certificates of their Public CA.
For more details on Certificates, refer to Working with Certificates.
When the Verify Status field in the Certificate panel indicates Expired or Expiring Soon, replace the Trusted CA Certificate. You must delete the old certificate before importing a new certificate successfully.
Most Certificate Vendors sign the SBC Edge certificate with an intermediate certificate authority. There is at least one, but could be several intermediate CAs in the certificate chain. When importing the Trusted Root CA Certificates, import the root CA certificate and all Intermediate CA certificates. Failure to import all certificates in the chain causes the import of the SBC Edge certificate to fail. Refer to Unable To Get Local Issuer Certificate for more information.
View Networking Interfaces
The Ribbon SBC Edge supports five system created logical interfaces (known as Administrative IP, Ethernet 1 IP, Ethernet 2 IP, Ethernet 3 IP, and Ethernet 4 IP). In addition to the system created logical interfaces, the Ribbon SBC Edge supports user-created VLAN logical sub-interfaces.
Admin IP, Ethernet 2 IP, Ethernet 1 IP are used for this interop.
From the Settings tab, navigate to Networking Interfaces > Logical Interfaces.
Administrative IP
The SBC SWe Lite system supports a logical interface called the Admin IP (Administrative IP, also known as the Management IP). A Static IP or DHCP is used for running Initial Setup of the SBC SWe Lite system.
Ethernet 1 IP
Ethernet 1 IP is assigned an IP address used for transporting all the VOIP media packets (for example, RTP, SRTP) and all protocol packets (for example, SIP, RTCP, TLS). In the default software, Ethernet 1 IP is enabled, and an IPv4 address is acquired via a connected DHCP server. You can assign a static IP as well. This interface will face the Deutsche Telekom.
Use Static IP address in the interface towards the Deutsche Telekom.
Ethernet 2 IP
Configure this Ethernet 2 interface as follows according to the requirement. This interface will face the IP-PBX (CUCM).
If you are migrating from SIP Trunk DeutschlandLAN towards CompanyFlex, ensure that you configure either a second (different) interface IP address on SBC1000 / SBC2000, or in case of SBC SWe Lite, a second interface with a different IP address.
Do not use the same IP for DeutschlandLAN and CompanyFlex on the SBC.
Static routes are used to create communication to remote networks. In a production environment, static routes are mainly configured for routing from a specific network to another network that you can only access through one point or one interface (single path access or default route).
Destination IP
Specifies the destination IP address.
Mask
Specifies the network mask of the destination host or subnet. If the 'Destination IP Address' field and 'Mask' field are both 0.0.0.0, the static route is called the 'default static route'.
Gateway
Specifies the IP address of the next-hop router to use for this static route.
Metric
Specifies the cost of this route, and therefore indirectly specifies the preference of the route. Lower values indicate more preferred routes. The typical value is 1 for most static routes, indicating that static routes are preferred to dynamic routes.
This section describes the steps to configure SBC SWe Lite with TLS/SRTP towards Deutsche Telekom SIP Trunk.
Select Settings > SIP > Remote Authorization Tables.
Remote Authorization Tables entries contain information for responses to request message challenges by an upstream server.
Select Settings > SIP > Contact Registration Table.
The Contact Registrant Tables manage contacts that are registered to a SIP server. The SIP Server Configuration can specify a Contact Registrant Table. The username portion of the table is used for outbound calls.
Click on Registration status under the "Contact Registration profile" to see the status of SIP Trunk registration with Deutsche Telekom.
The TLS profile defines the crypto parameters for the SIP protocol.
Select Settings > Security > TLS Profile. Click the to create a new TLS profile.
Select Settings > SIP > SIP Server Tables
SIP Server Tables contain information about the SIP devices connected to the SBC Edge. The entries in the tables provide information about the IP Addresses, ports, and protocols used to communicate with each server. The table entries also contain links to counters that are useful for troubleshooting.
When you configure a SIP server table entry with a DNS SRV record, Ribbon recommends that you do not configure another SIP server table entry with the IPs or FQDNs that the DNS SRV record resolves.
SDES-SRTP Profiles define a cryptographic context which is used in SRTP negotiation. SDES-SRTP Profiles required for enabling encryption and SRTP are applied to Media Lists. SDES-SRTP Profiles was previously named Media Crypto Profiles.
Select Settings > Media > SDES-SRTP Profile. Click the to create a new SRTP profile.
Select Settings > Media > Media List.
Media Profiles specify the individual voice and fax compression codecs and their associated settings for inclusion into a Media List. Different codecs provide varying levels of compression, allowing the reduction of bandwidth requirements.
Select Settings > Media > Media Profiles.
Create a Media profile with G729 codec if needed.
As per Deutsche Telekom, T.38 media encryption is not supported. Negotiations within an established connection for T.38 to a UE using encryption are rejected with SIP Error code 488, so that fax transmission will use G.711 with encryption instead.
It is recommended to use a maximum packet time (max pTime) of 20ms for all Voice Codecs.
Select Settings > SIP > SIP Profiles.
SIP Profiles control how the SBC Edge communicates with SIP devices. The SIP Profile controls important characteristics, such as the following: session timers, SIP header customization, SIP timers, MIME payloads, and option tags.
Create a new SIP profile with the name "Telekom sip profile" with the session timer enabled. The Minimum Acceptable Timer is 600, and the Offered Session Timer is 1800.
Signaling Groups allow grouping telephony channels together for the purposes of routing and shared configuration. They are the entity to which calls are routed, as well as the location from which Call Routes are selected.
Select Settings > Signaling Groups
Initially choose Default call Route. Create the Route, as shown in the call Routing section, and then update the call Route to "From Telekom".
If NAT is used, then add the external public IP of the NAT box under static NAT outbound of the Signaling Group that is facing towards the Deutsche Telekom server.
Configure NAT so that the external public IP address does not change frequently. If it does, update the new IP address under "Static NAT Outbound".
Transformation Tables facilitate the conversion of names, numbers and other fields when routing a call. They can, for example, convert a public PSTN number into a private extension number, or into a SIP address (URI). Every entry in a Call Routing Table requires a Transformation Table, and they are selected from there. In addition, Transformation tables are configurable as a reusable pool that Action sets can reference.
From the Settings > Call Routing > Transformation.
Each Transformation Table contains a list of entries considered as routing rules to execute on. Each rule is executed in order until the end of the table is reached or when a Mandatory entry fails to execute.
Follow the procedure described below to configure Transformation Tables and the Entries.
Click the Create ( ) icon.
Similarly create transformation table towards Deutsche Telekom.
In the lab environment we added +4 to the called number while sending out to Deutsche Telekom. Towards CUCM, we removed + . The followings transformation examples are based on the lab setup. It will differ based on the requirements.
For details on Transformation Table Entry configuration, refer to Creating and Modifying Entries to Transformation Tables. For call digit matching and manipulation through the use of regular expressions, refer to Creating Call Routing Logic with Regular Expressions.
Towards Deutsche Telekom
Towards CUCM
Call Routing allows carrying of calls between Signaling Groups. Routes are defined by Call Routing Tables, which allow for a flexible configuration of which calls to carry, and how to translate them.
Select Settings > Call Routing > Call Routing Table.
Call Routing Tables are one of the central connection points of the system, linking Transformation Tables, Message Translations, Cause Code Reroute Tables, Media Lists and the three types of Signaling Groups (ISDN, SIP and CAS).
In the SBC Edge, call routing occurs between Signaling Groups.
In order to route any call to or from a call system connected to the SBC, you must first configure a Signaling Group to represent that device or system. The following list illustrates the hierarchical relationships of the various Telephony routing components of a SBC call system:
Each call routing entry describes how to route the call and also points to a Transformation Table which defines the conversion of names, numbers and other fields when routing a call.
To create an entry:
Set the following fields:
Admin State:
Enabled - Enables the call route entry for routing the call, displays in configuration header as
Route Priority:
Priority of the route from 1 (highest) to 10 (lowest). Higher priority routes are matched against before lower priority routes, regardless of the order of the routes in the table.
Number/Name Transformation Table:
Specifies the Transformation Table to use for this routing entry. This drop-down list is populated from the entries in the Transformation Table.
Destination Signaling Groups:
Specifies the Signaling Groups used as the destination of calls. The first operational Signaling Group from the list is chosen to place the call. Click the Add/Edit button to select the destination signaling group.
Audio Stream Mode:
DSP (default entry): The SBC uses DSP resources for media handling (transcoding), but does not facilitate the capabilities/features between endpoints that are not supported within the SBC (codec/capability mismatch). When the DSP is configured, the Signaling Groups enabled to support DSP are attempted in order.
Media Transcoding:
Enabled: Enable Transcoding on SIP-to-SIP calls.
SIP Server Tables contain information about the SIP devices connected to the SBC Edge. Create a new SIP Server Table towards IP-PBX (Cisco CUCM)
Select Settings > SIP > SIP Server Tables
Signaling Groups allow grouping telephony channels together for the purposes of routing and shared configuration. They are the entity to which calls are routed, as well as the location from which Call Routes are selected.
Select Settings > Signaling Groups
The Message Manipulation feature comprises two primary components that work in concert to modify SIP messages. Those components are Condition Rules and Rule Tables. Conditional rule and rule table for the TLS registration and call to work are shown below.
Condition rules are simple rules that apply to a specific component of a message (e.g., diversion.uri.host, from.uri.host, etc.) The value of the field specified in the Match Type list box can match against a; literal value, token, or REGEX.
Settings > SIP > Message Manipulation > Condition Rule Table. Click the Create ( ) icon at the top of the Condition Rule Table page.
If Authorization is present in INVITE:
If Authorization is present in REGISTER:
If Diversion header is present in INVITE:
Choose Operation as "Equal".
Settings > SIP > Message Manipulation > Message Rule Table. Click the Create Message Rule Table( )icon.
Add FQDN provided by Deutsche Telekom in the URI host of the following headers of the outbound SIP messages.
Add SIP trunk number in URI user for CONTACT header of all outgoing SIP messages.
Select Settings > SIP > Message Manipulation > Message Rule Table
Click the Create Message Rule Table(
) icon.
Telekom - From, To, Request URI sends FQDN in URI Host:
Under "Telekom" Repeat the same for the To header.
Under "Telekom" repeat the same for request URI.
Telekom - add SIP Trunk number in URI user for contact header:
Telekom - add rport in the Via header:
Telekom - remove port from request line:
Create a new rule table for INVITE messages.
Settings > SIP > Message Manipulation > Message Rule Table. Click the Create Message Rule Table( )icon.
SMM for INVITE - save Proxy-Authorization header:
This is used in the Condition Rule Table.
SMM for INVITE - If Authorization is present in INVITE delete route:
To avoid multiple instances of the same header in INVITE message, All the instances of the header are first removed and then the single instance is added again. Condition Rule is added to achieve it for the following SMM's.
SMM for INVITE - add route:
SMM for INVITE - If Authorization is present in INVITE delete P-Early-Media:
SMM for INVITE - Add P-Early-Media:
SMM for INVITE - If Authorization is present in INVITE delete Allow-Events:
SMM for INVITE - Add Allow-Events
SMM for INVITE - Remove user and Add transport parameter in request line URI:
For TLS calls to work INVITE messages sent to Deutsche Telekom should have the following headers.
The initial INVITE includes the SIP header fields:
• Proxy-Require: mediasec
• Require: mediasec
• Security-Verify: msrp-tls;mediasec
• Security-Verify: sdes-srtp;mediasec
• Security-Verify: dtls-srtp;mediasec
Additionally, the SDP includes the attribute:
• a=3ge2ae:requested
SMM for INVITE - If Authorization is present in INVITE delete Proxy-Require:
SMM for INVITE - Add Proxy-Require
SMM for INVITE - If Authorization is present in INVITE delete Require:
SMM for INVITE - Add Require:
SMM for INVITE - If Authorization is present in INVITE delete Security-Verify:
SMM for INVITE - Add Security-Verify:
SMM for INVITE - If Authorization is present in INVITE delete SDP info a=3ge2ae:requested:
SMM for INVITE - Add a=3ge2ae:requested in INVITE SDP:
SMM for INVITE - Add P-Asserted-Identity:
Create a new rule table for REGISTER messages.
Settings > SIP > Message Manipulation > Message Rule Table. Click the Create Message Rule Table( ) icon.
SMM for REG - Add Allow in REGISTER:
SMM for REG - Add Supported in REGISTER:
For successful registration of trunk to Deutsche Telekom, the following header must be in REGISTER header.
For an initial REGISTER without Authentication Challenge, include the SIP header fields:
• Security-Client: sdes-srtp;mediasec
• Proxy-Require: mediasec
• Require: mediasec
For the following REGISTER with Authentication Challenge, in addition to the originally included SIP header fields it should also contain the following headers:
• Security-Verify: msrp-tls;mediasec
• Security-Verify: sdes-srtp;mediasec
• Security-Verify: dtls-srtp;mediasec
SMM for REG - Add Security-Client:
SMM for REG - Add Proxy-Require:
SMM for REG - Add Require:
SMM for REG - save Authorization:
This will be used for condition rule table.
SMM for REG - add Security-Verify:
Create a new rule table for INVITE messages.
Settings > SIP > Message Manipulation > Message Rule Table. Click the Create Message Rule Table( ) icon.
SMM for PAI - remove + from the number sent out to PBX/PSNT end:
This SMM depends on the number transformation that is chosen in SWe Lite. For example, in our lab setup the phones registered to the PBX has phone number as 4xxxxxxxxxx. Any request from Deutsche Telekom will have number +4xxxxxxxxxx. These changes are handled by transformation tables in SWe Lite. This will update only 'To', 'From' headers, the changes in P-Asserted-Identity header for the number needs to be done using this SMM. Add regex based on the requirements.
Create a new rule table for INVITE messages.
Settings > SIP > Message Manipulation > Message Rule Table. Click the Create Message Rule Table( ) icon.
SWe Lite does not support History Info header. SWe Lite will convert History Info header into Diversion header while relaying it out to Deutsche Telekom. As Deutsche Telekom expects History Info, we are storing the header that we receive from PBX in a local variable. This header will be used later.
Save History info - save History Info in a local variable:
Create a new rule table for INVITE messages.
Settings > SIP > Message Manipulation > Message Rule Table. Click the Create Message Rule Table( ) icon.
Add the history-info header that was stored in the previous step to the INVITE sent to Deutsche Telekom.
Save History info - save History Info in a local variable:
This SMM depends on the number transformation that is chosen in Swe Lite. For example, in our lab setup the phones registered to the PBX has phone number as 4xxxxxxxxxx. Any request to Deutsche Telekom will have number +4xxxxxxxxxx. To accommodate this in Diversion header we need to add SMM. This SMM will add + before the number.
To avoid duplicate + on the diversion header during re-Invite we need to remove all the + and then add only one +.
Relay History - remove + from diversion header:
Relay History - add + from diversion header:
P-Preferred-Identity header is an important header for Deutsche Telekom during forward cases. The P-Preferred-Identity header should carry the details of the instance that forwarded the call. This is same as that of the diversion header value. Hence P-Preferred-Identity header value will be picked from diversion header.
Relay History - add P-Preferred-Identity:
Create a new rule table for INVITE messages.
Settings > SIP > Message Manipulation > Message Rule Table. Click the Create Message Rule Table( ) icon.
1st instance of History info relayed to Deutsche Telekom needs to be in the Specific format. Else forwarding wont be successful. The SMM shown below will modify the History info to the following format.
History-Info: <sip:+4XXXXXXXXXX@tel.t-online.de;cause=302>;index=1
Once that is achieved we delete the Diversion header.
Relay History 2 - Modify History-info:
Relay History 2 - Modify History-info:
Relay History 2 - Modify History-info:
Relay History 2 - Modify History-info:
Signaling Groups allow grouping telephony channels together for the purposes of routing and shared configuration. They are the entity to which calls are routed, as well as the location from which Call Routes are selected.
Expand the signaling group towards Deutsche Telekom.
Settings > Signaling Groups. Click the expand ( ) icon next to the entry.
Expand the signaling group towards IP-PBX Cisco UCM.
Settings > Signaling Groups. Click the expand ( ) icon next to the entry.
Unified Communications Manager Administration groups security-related settings for the SIP trunk to allow you to assign a single security profile to multiple SIP trunks. Security-related settings include device security mode, digest authentication, and incoming/outgoing transport type settings.
A SIP profile comprises the set of SIP attributes that are associated with SIP trunks and SIP endpoints. SIP profiles include information such as name, description, timing, retry, call pickup URI, and so on. The profiles contain some standard entries that you cannot delete or change.
SIP trunks can connect to a variety of endpoints, including PBXs, gateways, and service providers. Each of these endpoints implements the SIP protocol a bit differently, causing a unique set of interoperability issues. To normalize messages per trunk, Cisco Unified Communications Manager allows you to add or update scripts to the system and then associate them with one or more SIP trunks.
Use a trunk device to configure a logical route to a SIP network.
Resetting/restarting a SIP device does not physically reset/restart the hardware; it only reinitializes the configuration that is loaded by Cisco Unified Communications Manager.
For SIP trunks, Restart and Reset behave the same way, so all active calls will disconnect when either choice is pressed.
A route pattern comprises a string of digits (an address) and a set of associated digit manipulations that route calls to a route list or a gateway. Route patterns provide flexibility in network design. They work in conjunction with route filters and route lists to direct calls to specific devices and to include, exclude, or modify specific digit patterns.
The End User Configuration window allows you to add, search, display, and maintain information about Unified Communications Manager end users. End users can control phones after you associate a phone in the End User Configuration window.
The following checklist depicts the set of services/features covered through the configuration defined in this Interop Guide.
Sr. No. | Supplementary Services/ Features | Coverage |
---|---|---|
1 | SIP Trunk Registration | |
2 | Inbound Call-Mobile PSTN | |
3 | Outbound Call-Mobile PSTN | |
4 | Inbound call-Landline PSTN | |
5 | Outbound call-Landline PSTN | |
6 | Basic Call With Different Codecs | |
7 | Voice Mail | |
8 | Call Forward | |
9 | FAX using G711 | |
10 | Call Hold and Resume Outbound | |
11 | Call Hold and Resume Inbound | |
12 | Anonymous Calls Outbound | |
13 | Session Timers | |
14 | FAX - transcoding | |
15 | Call Transfer (Blind) | |
16 | Call Transfer (Attended) | |
17 | Cancel Call | |
18 | Long Duration Calls |
Legend
Supported | |
Not Supported |
Observation - Any call to the PSTN mobile display the caller's number with the country code, whereas any call to the PSTN landline excludes the country code.
For any support related queries about this guide, please contact your local Ribbon representative, or use the following details:
For detailed information about Ribbon products and solutions, visit: https://ribboncommunications.com/products
This Interoperability Guide describe the configuration steps required for Ribbon SBC Edge to successfully interoperate with Deutsche Telekom. All feature and serviceability test cases were completed and passed with the exceptions/observations noted in Test Results
All features and capabilities tested are detailed within this document - any limitations, notes or observations are also recorded in order to provide the reader with an accurate understanding of what is/is not covered.
Configuration guidance is provided to enable the reader to replicate the same base setup — additional configuration changes are possibly required to suit the exact deployment environment.
© 2021 Ribbon Communications Operating Company, Inc. © 2021 ECI Telecom Ltd. All rights reserved.