Академический Документы
Профессиональный Документы
Культура Документы
1
November 2016
1
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
History
Edition 01: creation
Edition 02: updated information
Edition 03: updated for OT R2.1.1
* add WebRTC support
* add new client OTC One
Edition 04: updated for OT R2.2
Edition 05: updated for OT R2.2.1
* OTES Removal
Disclaimer
This documentation is provided for reference purposes only and does not fully describe the capabilities of each Product and related features. Therefore, ALE International
declines any liability for inaccuracies contained herein. For an exhaustive view on features list and product limits for the current product release please see the required
Feature List/Product Limits document available through the ALE eBusiness Portal web site.
In the interest of continued product development, ALE International reserves the right to make improvements or other changes to this document and the products it
describes at any time without prior notice.
Copyright
Copyright ALE International 2016. Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.
Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the
copyright holder.
2
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Preamble
Objective of this presentation is to describe the different scenarios that can be
3
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Agenda
1. Introduction
2. Edge Servers solution and use cases
3. Remote connectivity (public/private FQDN) and user authentication
4. Solutions Packaging
5. Conclusion
6. Document reference
4
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Agenda
1. Introduction
2. Edge Servers solution and use cases
3. Remote connectivity (public/private FQDN) and user authentication
4. Solutions Packaging
5. Conclusion
6. Document reference
5
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Introduction
Customer needs
6
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Internet
Internet
Internet
OTES Removal
Recommendation
OpenTouch release 2.2.1 supports now the Desktop Sharing feature through a
Reverse Proxy.
So, from this release it is strongly recommended to not deploy anymore an OTES
7
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
OTES Removal
Non NGINX Reverse Proxy
The customer has already a reverse proxy but not a NGINX+
In that case suggest to customer to juxtapose a NGINX+ reverse proxy to the
existing one
BlueCoat or AudioCodes reverse proxies have not been validated yet for
8
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
No
Introduction
Topology and solutions
mo
re r
PSTN
External/Guest user
remote access via Edge
Servers
DMZ
cellula
r
eco
mm
e
Corporate
Network
nde
Edge
Servers
dw
ith
O
TES
Corporate user
Reverse
Proxy
OTES
Interne
t
OT SBC
VPN
Gateway
OTMS+OXE
VPN
* VPN access scenario that is a technological alternative is described in backup slides of this presentation
Solution for Remote User Access - ed05d
Pre-Sales
9
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Introduction
Topology and solutions
PSTN
External/Guest user
remote access via Edge
Servers
DMZ
cellula
r
Corporate
Network
Edge
NGINX+ Servers
Corporate user
Reverse
Proxy
Interne
t
OT SBC
VPN
Gateway
OTMS+OXE
VPN
* VPN access scenario that is a technological alternative is described in backup slides of this presentation
Solution for Remote User Access - ed05d
Pre-Sales
10
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Agenda
1. Introduction
2. Edge Servers solution and use cases
3. Remote connectivity (public/private FQDN) and user authentication
4. Solutions Packaging
5. Conclusion
6. Document reference
11
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
session and the media streams (audio and video) based on RTP or SRTP (encrypted media streams). Its a gateway
between remote clients and OXE and OpenTouch SIP services. OT SBC also support the WebRTC sessions for VoIP with
compatible web browsers running OTC Web client.
These 2 elements put together allow implementing all the use cases for remote access to OT services. It
is possible to deploy only the RP in case remote VoIP service are not required on the deployment
Solution for Remote User Access - ed05d
Pre-Sales
12
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
IM
Document
Sharing
Desktop
Sharing
NGINX+
OT
device
DMZ
Reverse
Proxy
Internet
Reverse Proxy
Features
Guest
external
device
Vocal Access
Voice
PSTN
cellula
r
Scheduled conference
created by a corporate
user
OTMS+OXE
IM
Document
Sharing
Desktop
Sharing
Voice
NGINX+
OT
device
Internet
Reverse proxy
OT SBC
DMZ
Reverse
Proxy
OT SBC
Guest
14
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Scheduled conference
created by a corporate
user
OTMS+OXE
Telephony
Services
(1)
Voice
(over IP)
OT
device
OTC for iPhone
Video
IM
DMZ
Document
Sharing
NGINX+
CV user
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Revers
e
proxy
OT SBC (2)
Internet
OT SBC
OTMS+OXE
Reverse
Proxy
PSTN
cellula
r
Reverse
proxy
(1) Directory access, call control, visual voice mail, Call log, notification, routing
management
(2) Mandatory OT SBC if VoIP required (CV user only)
For more information refer to Product Presentations OTC for smartphone (available on eBP/Resources Center)
Solution for Remote User Access - ed05d
Pre-Sales
15
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Trusted
environment
DMZ
Untrusted
environment
OTC
Smartphon
eclient
(CV user)
NGINX+
OXE Call Server
External
firewall
internet
box Pub@
Priv@
HOME
Pub@
OpenTouc
h SBC
SIP TLS
SIP
Priv@
CORPORATE
NAT
NAT5
Hosted NAT
Traversal (SIP)
HTTPS
RTP
Reverse
Proxy
Internal
firewall
Internet
cellula
r
Pub@
SRTP
Enterprise LAN
16
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
OTMS server
Telephony
Services
(1)
Voice
(over IP)
Video
IM
Document
Sharing
Desktop
Sharing
DMZ
OT
device
OT SBC
OTC for PC
OTMS+OXE
Internet
N/A
OTC for MAC
N/A
N/A
NGINX+
N/A
N/A
N/A
OTC One
Revers
e
proxy
OT SBC
Reverse
Proxy
Reverse
Proxy
Telephony
Services
(1)
Voice
(over IP)
Video
IM
Document
Sharing
Desktop
Sharing
OT SBC
OT
device
OTMS+OXE
Internet
NGINX+
N/A
OTC for
Android tablet
Revers
e
proxy
OT SBC
Reverse
Proxy
(1) Directory access, call control, visual voice mail, Call log, notification, routing
management
Solution for Remote User Access - ed05d
Pre-Sales
18
Reverse
Proxy
Trusted
environment
Untrusted
environment
OTC Tablet
client
(CV user)
Priv@
HOME
NGINX+
OXE Call Server
External
firewall
internet
box Pub@
Enterprise LAN
Reverse
Proxy
Internal
firewall
Internet
Pub@
OpenTouc
h SBC
Priv@
CORPORATE
NAT
NAT5
Hosted NAT
Traversal (SIP)
HTTPS
SRTP
RTP
SIP TLS
SIP
19
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
OTMS server
Reverse
Proxy
OT SBC
(for Voice over IP)
Yes**
Yes
(based on WebRTC)
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
N/A
Yes
N/A
OTC for PC
Yes
Yes
Yes
Yes
N/A
20
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Remark
Agenda
1. Introduction
2. Edge Servers technology and use cases
3. Remote connectivity (public/private FQDN) and user authentication
4. Solutions Packaging
5. Conclusion
6. Document reference
21
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Remote Connectivity
Public/Private URL configuration
Public FQDNs are configured on Public DNS side to allow the access to the Edge Servers
installed in the DMZ of the corporate network. Public FQDNs point to public IP addresses
accessible from the Internet
Private FQDNs are configured on Private DNS side to allow direct access of the clients to the
OpenTouch server inside the corporate network. Private FQDNs point to IP address of the OTMS
server
Public FQDN for the Reverse Proxy and the OT SBC and Private FQDN for the OTMS server must
be different
For more technical details about configuration of FQDN in Remote User Access configuration, please refer to the
Technical Communication : TC1990 - OpenTouch from zero to Remote User - Installation/Configuration guideline
Solution for Remote User Access - ed05d
Pre-Sales
22
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
SIP Signaling
Private DNS
Audio/Video media
Public FQDNs
Public DNS
Enterprise Network
DMZ
pub-sip-services.company.com
SBC
Internet
OXE
OpenTouch
ot.company.com @IP OT
conference.company.com @IP ACS cluster
RP configuration
OV8770
pub-ot.company.com
pub-ot.company.com:8016
pub-ot.company.com
pub-ot.company.com
NB: OTC Web cannot be used for remote users, the conferencei URL is not
resolvablein this case (ie clicking on the URL in outlook would not work)
Private FQDNs
23
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
WebRTC Signaling
Audio/Video media
Private DNS
oxe.company.com @IP OXE
ot.company.com @IP OT
conference.company.com @IP ACS cluster of OT
Public FQDNs
Public DNS
Enterprise Network
DMZ
pub-sip-services.company.com
SBC
Internet
OXE
OpenTouch
Web collaboration public Interface
conference.company.com
RP configuration
Remote OTC users
(connected clients)
ot.company.com @IP OT
conference.company.com @IP ACS cluster
OV8770
OTC Web
(external guests users or remote
corporate users joining from OTC Web)
Any user clicks on conference URL:
Join online meeting:
https://conference.company.com/call/73
84972
Private FQDNs
pub-ot.company.com
pub-ot.company.com:8016
pub-ot.company.com
pub-ot.company.com
Public FQDNs
Public DNS
Private DNS
DMZ
pub-sip-services.company.com
SBC
ot.company.com @IP OT
conference.company.com @IP ACS cluster of OT
OXE
oxe.company.com @IP OXE
Internet
OpenTouch
RP
ot.company.com @IP OT
conference.company.com @IP ACS cluster
OT Private FQDNs
conference.company.com
Enterprise Network
Any user clicks on conference
URL:
Join online meeting:
https://conference.company.com
/call/7384972
RP configuration
Reverse Proxy (high level) redirect rules:
Connected Users interface
Not configured
Web Collab interface
Conference.company.com (lan side)
conference.company.com**
**Or OT Conferencing Service IP@ (ACS cluster IP)
25
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
26
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
OTC client
Authentication methods
with Reverse Proxy product
OTC Web
No authentication on RP
Login/Password
Login/Password
Login/Password
Note: Kerberos authentication mechanism for SSO is not compatible with remote access through the Reverse Proxy
See slide notes for more information and refer to the product Technical Documentation for details
Solution for Remote User Access - ed05d
Pre-Sales
27
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Agenda
1. Introduction
2. Edge Servers solution and use cases
3. Remote connectivity (public/private FQDN) and user authentication
4. Solutions Packaging
5. Conclusion
6. Document reference
28
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
ALE OpenTouch SBC General Information
WHAT ?
OpenTouch SBC is a Session Border Controller product that is used to manage the SIP session and Media
sessions of the remote clients and devices. It is able to take care of the IP address translation between the
public network Internet and private network corporate. It is a security element acting as a VoIP firewall
OT SBC is provided as a pure software package to be installed on top of a virtualized infrastructure
HOW ?
Reference documentation (available in eBusiness Portal):
- Presales Presentation : OpenTouch SBC (Session Border Controller) Design and Quotation Guidance
- Offer documentation : Standard Offer (Security section for OT SBC Product Description)
- Application Note : OPENTOUCH SBC / A SECURE SOLUTION FOR BORDERLESS CONVERSATIONS
Solution for Remote User Access - ed05d
Pre-Sales
29
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
ALE OpenTouch SBC Packaging
SW solution
OT SBC
No Dongle
OS Linux CentOS
VM
Hypervis
or
30
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
ALE OpenTouch SBC How To Quote in ACTIS
OTBE
OTMS
For more information about OT SBC quotation guidance refer to OT SBC presales presentation (available on eBP/Resources Center)
Solution for Remote User Access - ed05d
Pre-Sales
31
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
Reverse Proxy products General Information
WHAT ?
The Reverse Proxy addresses the role of security gateway for Web services by providing authentication of
internal users connected remotely over Internet. The Reverse Proxy equipment performs the user
authentication towards a corporate AAA server (that may or not be the same as the OpenTouch server)
The Reverse Proxy is provided by 3rd party vendor as there is no such product in ALE portfolio
WHERE ?
The Reverse Proxy vendor should be part of the AAPP. It is the case of BlueCoat and NGINX vendors
The Reverse Proxy could be eventually from another vendor but the technical pre-requisites provided by ALE
must be applied on the given product (refer to the dedicated Application Note) and the end-to-end
configuration is under the responsibility of the business partner
HOW ?
Reference documentation (available in eBusiness Portal):
- AAPP web site : IWR (Interworking Report) documents between OpenTouch product and Reverse Proxy products
- Application Note : Official statement regarding reverse proxies/equipment non validated by ALU-E
Solution for Remote User Access - ed05d
Pre-Sales
32
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
Reverse Proxy products AAPP partnership
33
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
Reverse Proxy products AAPP partnership
34
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
Reverse Proxy products AAPP partnership
How to quote ?
Alcatel-Lucent doesnt directly resell NGINX product
Contact NGINX reseller in your country
Refer to IWR document for NGINX-Plus product sizing
Solution for Remote User Access - ed05d
Pre-Sales
35
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Solution Packaging
Edge Servers Packaging optimization for VMware virtualized environment
If the two Edge Servers components (OT SBC + RP) need to be deployed then an optimization of the platform
Revers
e Proxy
CentOS
VM#1
VM#2
VMware ESXi
36
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Agenda
1. Introduction
2. Edge Servers solution and use cases
3. Remote connectivity (public/private FQDN) and user authentication
4. Solutions Packaging
5. Conclusion
6. Document reference
37
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Conclusion
Customers, partners
OPENNESS
SECURE
Nomads
Remote workers
INTEGRATED
38
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Agenda
1. Introduction
2. Edge Servers solution and use cases
3. Remote connectivity (public/private FQDN) and user authentication
4. Solutions Packaging
5. Conclusion
6. Document reference
39
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Reference Documentation
Documentation available in eBusiness Portal:
40
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Reference Documentation
Documentation available in eBusiness Portal:
Customer Support > Technical Support
Application Note : Official statement regarding reverse proxies/equipment non validated by ALU-E
41
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
enterprise.alcatel-lucent.com
42
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Follow us on:
Twitter.com/ALUEnterprise
Facebook.com/ALUEnterprise
Youtube.com/user/enterpriseALU
Linkedin.com Group: Alcatel-Lucent Enterprise
Slideshare.net/tagged/Enterprise
Storify.com/ALUEnterprise
43
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
BACKUP SLIDES
44
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
linked to the client application running on the device (i.e. applicative VPN that is not launched on the device by
default but only with the client application and dedicated to carry IP flows of this application)
- VPN can also be provided based on an additional VPN hardware device: e.g. RAP (Remote Access Point) for a
employee working at home with Internet connectivity or OmniAccess ESR for SOHO
45
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Trusted
environment
Untrusted
environment
Enterprise LAN
OTC PC
client
External
firewall
Internet
internet
Pub@
box
Pub@
Priv@
CORPORATE
VPN IPSec
DMZ
VPN
Gateway
Internal
firewall
Priv@
CORPORATE
HTTPS
RTP
SIP
46
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
OTMS server
Trusted
environment
Untrusted
environment
DMZ
Internet
(Wifi)
internet
Pub@
box
External
firewall
Pub@
VPN
Gateway
Internal
firewall
Priv@
CORPORATE
Priv@
CORPORATE
VPN IPSec
Enterprise LAN
HTTPS
RTP
SIP
47
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
OTMS server
Trusted
environment
Untrusted
environment
DMZ
Enterprise LAN
OTC Web
client
Residential
phone or
cellular
Internet
internet
Pub@
box
Priv@
CORPORATE
AUDIO
VPN IPSec
HTTPS
External
firewall
Pub@
VPN
Gateway
Internal
firewall
Priv@
CORPORATE
PSTN
PSTN
Gateway
cellula
r
RTP
Solution for Remote User Access - ed05d
Pre-Sales
OTMS server
48
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
WLAN Controllers
RAP models
Up to 64 RAP
Up to 512 RAP
Up to 256 RAP
Up to 1024 RAP
Up to 512 RAP
Remote User
Up to 2056 RAP
For more information refer to VoWLAN Design Guide and presales presentation (available on eBP/Presales Corner)
Solution for Remote User Access - ed05d
Pre-Sales
49
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
OmniAccess ESR
OA 5720
OA 5710
Remote User
OA 5725A
OA 5725R
OA 5840
OA 5850
50
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Services
/Flows
User
profile
Employee
Data
(Web Services)
VPN
Media
(Voice / Video)
VPN
Guest user
Employee
Corporate user
Edge
VPN
(RP)
PSTN
(Voice only)
Edge
(OT SBC)
51
COPYRIGHT 2016 ALE International - ALL RIGHTS RESERVED
Guest user
External or Employee
Edge
(RP)
PSTN
(Voice only)
Product
roadmap to
address this
scenario based
on Edge Servers
(WebRTC
technology)