Transcription
VOICEMOBILEDATAITHorizon NetworkConfiguration GuidelinesV6.0For customers who wish to use thirdparty internet access and also generalnetworking guidance for HorizonHosted PlatformThe Complete Business Solution
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES1.0 Introduction 032.02.12.22.32.42.52.62.72.82.92.10Public Access via InternetAccess ControlVoice & Video TrafficSBC DiscoveryUDP Fragmentation During HorizonCommunciationsSIP ALGDesktop Client SIP ALG BypassKeep-AlivesUDP NAT TimeoutNAT Port TranslationDNS0808090909093.03.13.23.3Horizon CollaborateHorizon Collaborate Access ControlHorizon Collaborate DNS SRV RecordsHorizon Collaborate Video Bandwidth091010114.0 The LAN4.1 Support for VLANS12125.0 Firmware Upgrades136.0 Mobile Clients Customer FirewallRequirements (R22 )147.07.1Handsets 16Phone RTP Port Ranges t@focusgroup.co.ukAuthorVicki Rishbethfocusgroup.co.ukReason2.8 UDP NAT Timeout amends0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES1.0 IntroductionWhile Focus Group always prefer to install our own dedicated and on-netbandwidth and LAN for our VOIP products we recognise that somecustomers have existing data services they make like to use.The purpose of this document is to define the access requirements fortwo scenarios when on-net access is not used as the delivery methodfor Horizon traffic to an end user site. The two scenarios are:1. D elivered over Internet Access by a supplier other than the Horizonplatform provider (Gamma Telecom)2. D elivered via a Private Access/Interconnect to the HorizonPlatform provider (Gamma Telecom)Horizon is designed to work using public IP addressing for access.This provides more than just the provision of speech and signallingprotocols but also access to other publicly available services whichHorizon uses.If a customer wishes to utilise another, data provider or ISP, theyneed to ensure that the access can meet the following requirementsand functionality. Failure to meet the access requirements below willresult in quality and setup/support .co.ukfocusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES2.0 Public Access via Internet2.1.Access ControlCustomers must ensure that the following IP addresses and ports (bothdirections) are available and not blocked by firewalls. If these ports are notopened (i.e. a customer or network based firewall is blocking them), or IPaddresses allowed, Horizon will not function correctly.DNS records utilised by Horizon are provided. These are informational onlyfor most deployments as DNS will be learned from records populated onGamma’s authoritative public DNS servers. Customers who maintainprivate DNS servers may need to populate the DNS records in their servers.Focus recommends that only trusted IPs are allowed to send and receivetraffic via port 5060 and 5080.Table 1.0Domain Name04Record TypeIP 215.61.17188.215.61.173TCP 80, 443Device provisioning,including soft clients andsoftware 67TCP 80, 443Soft client provisioning andsoftware 8.215.60.15688.215.60.16688.215.60.168TCP 443Soft clients, Integrator, on.co.ukA88.215.60.168N/AA127.0.0.1TCP co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINESDomain NameRecord TypeIP ntreA88.215.60.162UDP 53A Records for Horizon VoiceSignalling & Media 2TCP eptionist, Call 63TCP 5222Instant messaging andpresence (for 104.18.46.74TCP 80, 188.215.63.145UDP 123NTP for time/date n.co.ukA88.215.60.12988.215.60.132NTP for time/date displayPolycomTCP 389, 636Corporate ocusgroup.co.ukfocusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES2.2 Voice and Video TrafficVoice and video traffic from all Horizon IP phones and soft-clients route viaHorizon Access SBCs as defined below. Occasionally new Horizon AccessSBCs will be added to the list and the change will be communicated viaregular channels.IP Address88.215.63.171Protocol and PortsUDP 5060, TCP 5080FunctionSBC SIP 15.58.2UDP 10000- 60000SBC RTP roup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES2.3 SBC DiscoveryDNS SRV records are used to provide high availability service for Horizon IPphones and soft-clients. DNS SRV records resolve to two or more DNSA-records, which in turn resolve to IP addresses of Horizon Access SBCs.This mechanism provides each Horizon device with multiple SBCs to sendor receive calls.Domain NameRecord TypeService kSRVSIPUDP5060SRV Records for HorizonVoice Signalling TrafficSRVSIPTCP5080New SRV record for SIPALG bypassSRVSIPUDP5060New SRV record for SIPALG bypassSRVSIPTCP5080SRV Records for HorizonMobile Client VoiceSignalling TrafficAN/AN/AN/AA Records for HorizonVoice Signalling TrafficExamplesip. udp.sip1.unlimitedhorizon.co.uksip. zon.co.ukExamplesip. izon.co.ukExamplesip. tedhorizon.co.ukExamplesip. p.co.uk2.4 UDP Fragmentation During Horizon Communications.In some instances, the size of the UDP packets transmitted between theHorizon platform and customer handsets will exceed the default 1500byte payload, when this happens packet fragmentation will occur. It is theresponsibility of the customer to ensure that any in path CPE is able tosupport UDP fragmentation. It is also advised that a check is made toconfirm that any further applications/functions running on the CPE do notinterfere with the reassembly of fragmented UDP packets.focusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINESIf UDP fragmentation is not allowed on CPE network devices the followingfeatures may not function correctly. BLF (Busy Lamp Field) Feature Synchronisation (DND, Call Forward Busy, Call Forward Always &Call Forward Unreachable/No Answer) Incoming calls to Horizon devices after a series of call forwards within thesame Horizon Company2.5 SIP ALGSIP Application Layer Gateway (ALG) is common in many of today’s routersand in most cases enabled by default on enterprise, business and homebroadband routers. Its primary use is to prevent problems associated to therouter’s firewalls by inspecting VOIP traffic packets, and if necessarymodifying them to allow connection to the required protocols or ports.On many business and home class routers Active SIP ALG will cause amixture of problems by adjusting or terminating Horizon traffic packets insuch a manner that they are corrupted and cause issues with the service,manifesting in a range of intermittent issues such as; one-way audio, droppedcalls, problems transferring calls, handset dropping registration and makingor receiving internal calls.SIP ALGs should be disabled on all CPE routers, we will not accept any faultsor issues raised against Horizon if a SIP ALG is enabled.For instructions on disabling this feature please refer to the specific routeruser guide.2.6 Desktop Client SIP ALG BypassSummaryFor deployments featuring Horizon Desktop Client, on Windows and Mac OS,please ensure that firewalls allow access to Gamma SBCs on TCP port 5080in addition to UDP port 5050.DescriptionPrior to January 2019 the Horizon Desktop Client used the standard UDPport 5060 to exchange signalling traffic with Horizon Access o.ukDue to its portability Horizon Desktop Client is often used in remote accesssituations, at home or on public internet connections where SIP ALG may bepresent and it is outside the user’s control to disable it.From January 2019 Horizon Desktop client will use new DNS SRV records asdefined in the SBC Discovery section of this document. These records routeSIP traffic to the Horizon Access SBCs via TCP 5080 first choice. TCP 5080 isa non-standard port for SIP traffic so SIP ALGs will not inspect and alter thetraffic.focusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINESIf the client cannot reach the Horizon SBCs on TCP 5080 it will reattempt onthe standard UDP 5060 route, so existing deployments behind restrictivefirewalls will continue to make and receive calls.For optimal performance it is strongly recommended that access to HorizonSBCs via TCP 5080 is allowed.2.7 Keep-AlivesHandsets are pre-configured to send UDP keep-alive messages towards theHorizon platform every 45 seconds using the SIP port. These messages keepthe firewall pin-holes open which ensures the success of incoming calls.2.8 UDP NAT TimeoutSet UDP NAT Timeout 572 seconds.Some routers have been reported to close NAT pinholes despite Horizonphones sending keep-alives every 45 seconds. To protect against thisoccurring it is recommended that UDP NAT Timeout on the router is sethigher than the SIP registration refresh interval for Horizon phones. That ishigher than 572 seconds.2.9 NAT Port TranslationFor Horizon handsets to register correctly, if using a router that requiressetting up Dynamic Port Address Translation - Port Multiplexing optionmust be selected.2.10 DNSA public DNS service must be available to the Horizon handsets so that thedomain names can be resolved to the associated IP addresses. SRV and Arecord types are used by the Horizon service. As best practice resilience ofDNS needs to be considered hence both a primary and secondary DNSservice should be configured as part of any deployment.Gamma’s DNS servers are detailed below, please note these can only beused with Gamma access.Primary DNS ServerSecondary DNS Server88.215.61.25588.215.63.2553.0 Horizon CollaborateCustomers who are deploying Unified Communications features with theHorizon Collaborate enhancement can use the IP address and portinformation for Horizon Collaborate servers to configure firewalls. DNS SRVrecords for server discovery are also provided for those managing privateDNS up.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINESFailure to provide access to these servers will cause issue for features likeInstant Messaging, Presence, MyRoom sessions and Screen Sharing.3.1 Horizon Collaborate Access ControlCollaborate Guest Client URLs are dynamically generated by theCollaborate My Room owner for sharing with Conference Guests.Domain NameRecord TypeIP AddressPortsFunctionTCP 8443Collaborate Sharing ServerTCP 5222, TCP5269, TCP 443,TCP 5280-5281,TCP 1081-1082Collaborate Instantmessaging and Presenceserver. For IMP, File exchangeand Mobile gatewayTCP 8060, TCP8070, UDP 10243024, UDP 3478Collaborate WebRTC serversignalling, media and 8.215.50.161clients.mypabx.co.uk 1A88.215.50.24188.215.50.242TCP 443Collaborate White-labelGuest Clientclients.unlimitedhorizon.co.uk 1A88.215.60.16288.215.60.163TCP 443Collaborate Guest Client3.2 Horizon Collaborate DNS SRV RecordsThe below DNS SRV records are used to support high-availability services inHorizon Collaborate.Domain NameRecord TypeService SRVuss-clientTCP8443Horizon Collaboratesharing serverSRVxmpp-clientTCP5222Horizon CollaborateInstant Messagingand Presence xampleuss-client. zon.co.ukExamplexmppclient. tedhorizon.co.ukExamplexmppserver. tedhorizon.co.ukExamplegatewayclient. ocusgroup.co.ukfocusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES3.3 Horizon Collaborate Video BandwidthHorizon Collaborate Desktop and Mobile soft-clients implement DynamicVideo Bitrate where the video quality will reduce when packet loss isdetected between two video devices in a call. The feature aims to provide astable and responsive video session when the bandwidth available for the callis constrained. It works by both video devices exchanging RTCP (Real-timeControl Protocol) messages providing feedback if network conditions arepoor and video frames are lost in transit. RTCP is sent to the same HorizonAccess SBCs and port range as normal media (RTP) traffic so no changes tocustomer firewalls should be required to support the feature.The range of video bandwidth transmitted by Horizon Collaborate Clients is128kbps to 2048 kbps depending on network conditions. For deploymentswhere bandwidth is known to be limited it is possible to limit the videobandwidth transmitted by the Horizon Desktop Client in the Audio/VideoSettings o.ukfocusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES4.0 The LAN4.1 Support For VLANSBoth Cisco and Polycom phones provided as part of the Horizon servicehave CDP (Cisco Discovery Protocol) and LLDP (Link Layer DiscoverProtocol) enabled as default on delivery. These protocols, CDP (Ciscoproprietary), and LLDP including LLDP-MED (vendor neutral), are link layerprotocols used by network devices for advertising their identities andcapabilities in order to assist with management of the local area networkenvironment, specifically VLAN segregation.If you wish to support either of these functions for VLAN configuration/selection on the LAN, then you should enable the desired function on thenetwork equipment and disable the alternative option. For example, if youwish to support CDP for a particular end user you should make sure LLDP isnot configured as a live option on their network equipment and that CDP isenabled as a live option.When using LLDP or CDP the Horizon phones will support and use anyVLAN ID configured on the switching infrastructure (as part of the LLDPand CDP configuration) for both Voice and Data. If the customer wishes todaisy chain laptops or PC’s using the switch port on the Horizon phones, anytraffic from this port will be entered into the data VLAN.Example VLAN set up (using CDP/LLP)Example Data VLAN: 20Example Voice VLAN: 30What we do not support: Fixed VLAN ID’s Static VLAN assignment either directly from the phone or from the corenetwork. We cannot enable only one of the VLAN options (either CDP or LLDP).Both will always be enabled on Horizon phones and it is the customer’sresponsibility to enable/disable the required function on their network.Please be aware Softphone Clients, ATA’s and Wireless handsets (Dect) donot currently support o.ukfocusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES5.0 Firmware UpgradesHorizon handsets are pre-configured to check for configuration andfirmware updates every evening between 00:00 and 05:00.Horizon handsets will only download new configuration or firmware fileswhen they detect that a change has been made. Configuration files aretypically 70Kb or less, but firmware files are larger ranging between 3.5 to57.5MB. Network administrators should consider these file downloads withregards to the bandwidth available on the access circuits the Horizonservice runs over.Device TypeFirmware File SizeCisco 12210.0 MBCisco 23211.3 MBCisco 5014.2 MBCisco 5024.2 MBCisco 5044.2 MBCisco 5094.2 MBCisco 52511.6 MBPolycom 3313.5 MBPolycom 3353.5 MBPolycom 4504.1 MBPolycom 6503.5 MBPolycom 50003.7 MBPolycom 700011.3 MBPolycom VVX 15034.8 MBPolycom VVX 20133.4 MBPolycom VVX 31051.1 MBPolycom VVX 41151.1 MBPolycom VVX 50058.9 MBPolycom VVX 60057.5 MBPolycom Trio 8500294.3 MBPolycom Trio 8800294.3 MBYealink W52P9.2 kfocusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES6.0 Mobile Clients Customer FirewallRequirements (R22 )Since August 2017 Horizon Mobile Clients use cloud messaging systemsfrom Apple and Google to receive incoming call notifications. In 2019instant messages will be sent to Mobile Clients in the same way.When an incoming call is received by a user who is logged into the HorizonMobile Client on Android or iOS (R22 ) Horizon servers will send anotification to Apple or Google’s servers. Apple or Google will forward thenotification to the device and the app will wake up, alert for an incoming calland will setup the voice call with the Horizon servers if the call is answered.Any Horizon Mobile Clients (R22 ) operating behind firewalls musttherefore allow access to Apple and Google push notification servers at theIP addresses and via the ports below.These rules are derived from advice from Google and Apple. They specifywide ranges of IP addresses as their push notification servers scale tomillions of requests so new servers may be commissioned at new IPaddresses in their ranges with no way to provide prior notice.For the Mobile client to receive push notifications from Apple or Googleservers, when running on a phone behind a firewall access must be allowedto Apple and Google servers on the following ports:AppleTCP: 443, 5223GoogleTCP: 443, 5228, 5229, and 5230The connections are outbound originated only, from the phone to the cloudmessaging server. The phone will keep the connection alive and setup anew connection when required.Apple and Google may commission new servers, at new IP addresses at anytime to manage the load across the systems. As a result it is not possible toprovide customers with a list of IP addresses to configure the firewall with.Push Notification servers are discovered using DNS requests but these aremanaged to Operating System processes so, again, it is not possible to statea list of hostnames that could be entered into a firewall that can allowtraffic based on configured co.ukApple provide a straight-forward solution, their servers will appearsomewhere in their class A subnet: 17.0.0.0/8Google however, only state that the IPs will appear in their ASN 15169. Thiscontains hundreds of IP subnets which would be impractical to input into afirewall. Focus have summarised the subnets to a more manageable list.This list is subject to change by Google and Focus will not be notified so useof it is at the maintainers own risk.focusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINESIP AddressProtocol and PortsFunction8.0.0.0/10TCP 443, 5228, 5229,5230Push Notifications for Horizon Mobile Client – Android23.224.0.0/1135.128.0.0/9These ranges, and the servers behind them are operated by Google.64.0.0.0/4Horizon Mobile clients R22 and up use Google’s Firebase CloudMessaging service to deliver notifications: 223.160.0/20208.0.0.0/417.0.0.0/8TCP 443, 5223Push Notifications for Horizon Mobile Client – iOS.These ranges, and the servers behind them are operated by Apple.Horizon Mobile clients R22 and up use Apple’s Push Notificationservice to deliver notifications: emsupport@focusgroup.co.ukfocusgroup.co.uk0330 024 2000
FOCUS GROUPHORIZON NETWORKCONFIGURATION GUIDELINES7.0 Handsets The phones require a DHCP address, hence must have access to aDHCP server. (Fixed static IP’s are not supported). NAT must be used and enabled for DHCP pool supplied to phones.7.1 Phone RTP Port RangesHorizon phones will send/receive RTP from the following port ranges:DeviceRTP Port MinRTP Port MaxMobile client (Android/iOS) Audio85008599Mobile client (Android/iOS) Video86008699Desktop client (Windows/Mac) Audio85008599Desktop client (Windows/Mac) Video86008699Polycom xxx22222268Yealink xxx1638416538Cisco 12216482Cisco 232Cisco 50116538Cisco 502Cisco 504Cisco 509Cisco p.co.ukfocusgroup.co.uk0330 024 2000
2.5 SIP ALG 08 2.6 Desktop Client SIP ALG Bypass 08 2.7 Keep-Alives 09 2.8 UDP NAT Timeout 09 2.9 NAT Port Translation 09 2.10DNS 09 3.0 Horizon Collaborate 09 3.1 Horizon Collaborate Access Control 10 3.2 Horizon Collaborate DNS SRV Records 10 3.3 Horizon Collaborate Video Bandwidth 11 .
