Before starting to use these configuration
notes, complete the following table to make sure you have the required information
to complete the different steps.
IMPORTANT:If you are not familiar with the meaning of the fields and
buttons, click Show Help, located at the upper right corner of
the Web page. When activated, the fields and buttons that offer online help will
change to green and if you hover over them, the description will bedisplayed.
Note:The Mediatrix unit must be reinitialised to its factory default settings to make sure the configuration can be successfully executed.
Information
Value
Used in Step
Temporary IP address used by your Mediatrix unit to communicate with the
Management Interface.
Important Information on NAT, Interfaces, and Ports
Since this scenario uses only one physical network interface (ETH1) for communicating both with
the ITSP/Public Internet and the IP-PBX, different ports will need to be assigned to the
signaling and media interfaces for the Sentinel to differentiate the traffic.
On the ITSP/Public Internet side, port 5060 is used for signaling with the 20000-20999
range for media. The router/firewall will need to be set up to allow connections from the
ITSP/Public Internet on these ports, and set up port forwarding to the Sentinel internal IP
address.
On the IP PBX side, port 5064 is used for signaling with the 21000-21999 range for media.
Depending on the PBX, this can be accomplished by either creating a SIP trunk on an alternate
port, or in the Outbound Proxy configuration.
The computer IP address must be in the same TCP/IP network as the Mediatrix
unit.
About this task
For better performances, it is recommended to use the latest available version of
Microsoft Internet Explorer, Google Chrome, or Mozilla Firefox.
Note: You may not be
able to log on to the Mediatrix unit Web interface if you are using older browser
versions.
Procedure
In your Web browser, enter the IP address at which the Web interface of your
Mediatrix unit can be reached.
If your network has an IPv4 DHCP server, connect the primary Ethernet
port of the Mediatrix unit to the network (ETH1 port), use the provided DHCP
server IP address. The primary Ethernet port, i.e. ETH1 port, of the
Mediatrix unit must be connected to the switch.
If your network has no DHCP, you can connect temporarily your computer
to the secondary Ethernet port of the Mediatrix unit (ETH2), using the
192.168.0.10 IP address. The computer must also own an IP address in the
192.168.0.0/24 network. Note that, after configuring the network, you will
need to reconnect your computer to the switch to finish
configuration.
Enter admin as your
username and administrator as the
password.
Note: You can also use public as a username and
leave the password field empty. By default, it has the full administration
rights .
Click Login.
Results
The Information page of
the Web interface is displayed.
If you are not familiar with the meaning of the fields and
buttons, click Show Help, located at the upper right corner of
the Web page. When activated, the fields and buttons that offer online help will
change to green and if you hover over them, the description will bedisplayed.
Steps
Go to Network/Interfaces.
In the Network Interface Configuration table, from the Link selection list located next to Uplink, leave the default
value, i.e. ETH1 .
From the Type
selection list, select IpStatic (IPv4 Static).
Note: The Uplink
Network Interface must be set with a fixed IP address for the NAT/router to
be able to do port-forwarding to the unit. It will also be easier for the
PBX to communicate with the unit if the address is static.
In the Static IP Address field enter the Internal static IP address of the unit
followed by the subnet CIDR prefix (for example: 192.168.1.100/24, 10.1.2.3/8,
etc.).
From the Activation
selection list, select Enable.
Click Apply to apply
all changes to the configuration.
Note: Once the changes are applied, the connection with the unit might be lost.
You may need to reconnect to the web page using the new address, or plug
back your computer into the network switch to continue configuration on the
Uplink network.
Result
The unit can be reached (via the Web) with the Static
Address.
Although it is possible to use public DNS servers you should always ask your
internet service provider to provide at least the primary and secondary DNS
servers.
Steps
Go to Network/Host.
In the DNS Configuration table, form the Configuration Source
selection list, select Static.
For each DNS used, enter the IP address of the DNS.
Configuring the SNTP Server to a Static IP Address
Before you begin
Make sure there is an SNTP server available.
Steps
Go to Network/Host.
In the SNTP Configuration table,
from the Configuration Source
selection list, select Static.
Provide an IP address or domain name and port numbers for each SNTP server you
are using.
Note: The best practice is to use the servers supplied by your Internet
Service Provider, then complement with servers from a different network
close to your geographical area. For example: time.nist.gov (USA), ntp4.sptime.se (Sweden), time1.isu.net.sa (Saudi Arabia), ntp.nict.jp (Japan), time.google.com (Worldwide),
pool.ntp.org or one of their regional server pools (see
https://www.ntppool.org/ for more information).
If necessary, change the value of the Synchronisation Period.
If necessary, change the value of the Synchronisation Period on Error.
Click Apply.
Result
The SNTP host name and port will be displayed in the Host Status table under Network/Status.
Rulesets must be imported. The latest Ruleset package can be found on the
https://media5.secure.force.com/supportportal (you will be required to supply
a user name and password). In the Downloads tab, choose
SBC Updated Rulesets, then download the zip file and extract it
to your PC.
Context
Steps
Go to Management/File.
Note: Required Rulesets depend on the scenario being configured. Refer to the
Call Agent and Routing Ruleset sections of the configuration notes for
details on Rulesets needed to complete the configuration.
Note: The next step is only required when importing the first Ruleset and if you
are not using a secure connexion to access the Management Interface
(http://).
Click Activate unsecure
file importation from the Web browser.
From the Path field,
select sbc/rulesets/.
Click Browse, and
navigate to the Ruleset you wish to import, i.e.
media_relay.crs
Note: Ruleset file extension must be *.crs for Call Agent Rulesets or *.rrs for
Routing Rulesets.
Click Import.
Repeat for all required rulesets.
Result
The imported Ruleset will appear in the Internal files table, with the
selected path in front of the name. The Ruleset will be available in the tables of the
SBC/Rulesets page.
If you are not familiar with the meaning of the fields and
buttons, click Show Help, located at the upper right corner of
the Web page. When activated, the fields and buttons that offer online help will
change to green and if you hover over them, the description will bedisplayed.
Steps
Go to SBC/Configuration.
In the Call Agent Configuration
table, click located on the same row as remote_users_ca.
In the Configure Call Agent table,
complete the fields as follows:
Select the Enable check
box.
From the Signaling Interface
selection list, select uplink_s.
From the Media Interface
selection list, select uplink_m.
Set the Peer Network to
0.0.0.0/0
In the Call Agent Rulesets table,
click .
Note: You can ignore the "Invalid configuration" and "Unknown ruleset" warnings.
They will disappear when the configuration is saved.
From the Name
selection list, choose drop_common_scanners_in.
Click
From the Name
selection list, choose remote_users_behind_nat.
Click
From the Name
selection list, choose rate_limit_register_per_source_in.
In the Parameters
field, enter REGISTER_ATTEMPTS=X
Note: Where X represents the number of incoming registration attempts that you
wish the Sentinel to allow from the remote users per minute. If more than X
registration attempts are received by remote users within one minute,
the Sentinel will respond with 403 to the further attempts. Leaving the
Parameters field empty, will allow 20 incoming registration attempts per
minute.
Click
From the Name
selection list, choose registration_throttling_in.
Click
From the Name
selection list, choose rate_limit_invite_per_source_in.
In the Parameters
field, enter CALL_ATTEMPTS=Y
Note: Where Y represents the number of incoming call attempts that you wish the
Sentinel to allow from the remote users per second. If more than Y call
attempts are received by remote users within one second, the Sentinel
will respond with 403 to the further attempts. Leaving the Parameters field
empty, will allow 1 incoming call attempt per second.
Click
From the Name
selection list, choose reject_unregistered_users_in.
Click
From the Name
selection list, choose media_relay.
Click Save.
In the Configuration
page, click Save.
Click Apply to apply
all changes to the configuration.
Result
No will be displayed in
the Config.Modified field,
indicating that the configuration that was modified is now applied to the system. When
the Sentinel unit will use the selected Call Agent for a communication, the selected
parameters will be applied.
If you are not familiar with the meaning of the fields and
buttons, click Show Help, located at the upper right corner of
the Web page. When activated, the fields and buttons that offer online help will
change to green and if you hover over them, the description will bedisplayed.
Steps
Go to SBC/Configuration.
In the Call Agent Configuration
table, click next to lan_ip_pbx_ca.
In the Configure Call Agent table,
complete the fields as follows:
Select the Enable check
box.
From the Signaling Interface
selection list, select pbx_s.
From the Media Interface
selection list, select pbx_m .
Set the Peer Host to the IP
address of the IP PBX.
In the Call Agent Rulesets table,
click .
Note: You can ignore the "Invalid configuration" and "Unknown ruleset" warnings.
They will disappear when the configuration is saved.
From the Name
selection list, choose media_relay.
Click Save.
Click Apply to apply
all changes to the configuration.
Result
No will be displayed in
the Config.Modified field,
indicating that the configuration that was modified is now applied to the system. When
the Mediatrix SBC will use the selected Call Agent for a communication, the selected
parameters will be applied.
In the Local Firewall Rules table,
complete the fields as follows:
Note: Not all fields are mandatory. You may leave some fields empty. Uplink is case
sensitive.
From the Activation selection
list, select Enable
In the Destination Address,
enter Uplink.
From the Protocol selection
list, select UDP
In the Destination Port,
enter 20000-21999.
From the Action selection list, select Accept.
Click .
In the Local Firewall Rules table,
complete the fields as follows:
Note: Not all fields are mandatory. You may leave some fields empty. Uplink is case
sensitive.
From the Activation selection
list, select Enable
In the Destination Address,
enter Uplink.
From the Protocol selection
list, select TCP.
In the Destination Port,
enter 80
From the Action selection list, select Accept.
Click .
In the Local Firewall Rules table,
complete the fields as follows:
Note: Not all fields are mandatory. You may leave some fields empty. Uplink is case
sensitive.
From the Activation selection
list, select Enable.
In the Destination Address,
enter Uplink
From the Protocol selection
list, select UDP.
In the Destination Port,
enter 5060.
From the Action selection list, select Rate Limit Source
In the Rate Limit Value
field, enter 20
In the Rate Limit Time Unit
field, enter 60.
Click .
In the Local Firewall Rules table,
complete the fields as follows:
Note: Not all fields are mandatory. You may leave some fields empty. Uplink is case
sensitive.
From the Activation selection
list, select Enable.
In the Destination Address,
enter Uplink.
From the Protocol selection
list, select UDP.
In the Destination Port,
enter 5064.
From the Action selection list, select Rate Limit Source.
In the Rate Limit Value
field, enter 20.
In the Rate Limit Time Unit
field, enter 60.
Click .
In the Local Firewall Rules table,
complete the fields as follows:
Note: Not all fields are mandatory. You may leave some fields empty. Uplink is case
sensitive.
From the Activation selection
list, select Enable.
In the Destination Address,
enter Uplink.
From the Protocol selection
list, select TCP.
In the Destination Port,
enter 5060.
From the Action selection list, select Rate Limit Source.
In the Rate Limit Value
field, enter 20.
In the Rate Limit Time Unit
field, enter 60.
Click .
In the Local Firewall Rules table,
complete the fields as follows:
Note: Not all fields are mandatory. You may leave some fields empty. Uplink is case
sensitive.
From the Activation selection
list, select Enable.
In the Destination Address,
enter Uplink.
From the Protocol selection
list, select TCP.
In the Destination Port,
enter 5061.
From the Action selection list, select Rate Limit Source.
In the Rate Limit Value
field, enter 20.
In the Rate Limit Time Unit
field, enter 60.
Click .
In the Local Firewall Rules table,
complete the fields as follows:
Note: Not all fields are mandatory. You may leave some fields empty. Uplink is case
sensitive.
From the Activation selection
list, select Enable.
In the Destination Address,
enter Uplink.
From the Protocol selection
list, select TCP.
In the Destination Port,
enter 5065.
From the Action selection list, select Rate Limit Source.
In the Rate Limit Value
field, enter 20.
In the Rate Limit Time Unit
field, enter 60.
Note: Before setting the Default Policy to
Drop, review
your rules to make sure that at least one rule accepts incoming packets,
otherwise the communication with the Mediatrix unit will be lost.
In the Local Firewall Configuration
table, from the Default Policy selection
list, select Drop.
Click Save & Apply to
apply all changes to the configuration.
Result
Calls will only reach the Mediatrix unit if they are using SIP protocol (ports
5060,5061 for remote users and 5064,5065 for IP PBX) or RTP protocol (ports
20000-21999). The Local Firewall rules will open the ports intended for:
RTP on the Remote Users side (20000-20999) and on IP PBX side (21000-21999)
(Step 3)
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time
and without the obligation to notify any person and/or entity of such revisions and/or
changes.