Group: I am trying to complete a conversion from Acme Packet/Oracle SBC to Metaswitch Perimeta SBC. We found late during the cutover process that Polycom/Metaswitch hasn’t implemented a common TCP strategy to keep firewall TCP sessions/connections alive. Has anyone in the group successfully implemented a TCP strategy and if so, am I missing anything?
With the ACME topology, all phones do the following regardless of protocol to maintain pinholes through firewalls: 1 SEC Phone -> Register -> Firewall -> SBC -> Register -> Broadsoft 1 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft 60 SEC Phone -> Register -> Firewall -> SBC 60 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC Polycom: Requires use to frequent SIP registration (maintained by Perimeta) to keep SIP pinholes through firewalls alive. Metaswtich: Requires TCP clients (Polycom) to maintain pinholes using native TCP keepalive syn/ack messages. Polycom’s implementation of “TCP keepalives” is only applicable if the phone is using TLS. There is no such setting for non-tls TCP based traffic. So the phone will establish a TCP connection to the SBC, and then site dormant if no registration/call/subscription messages traverse. The firewall will close its ports, and the phone will lose connectivity. Metaswitch has a fast-nat feature, which is used to shield switches from UDP based registrations. When enabled, fast-nat modifies the endpoint expire timer to allow the endpoint to re-register (keeping the firewall session alive). For UDP, this works correctly, and the SBC responds to the endpoint with a 200OK. But for TCP, the SBC passes the re-registration attempt back to the switch. TCP Metaswitch Example with fast-nat: 1 SEC Phone -> Register-> Firewall -> SBC -> Register -> Broadsoft 1 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft 60 SEC Phone -> Register-> Firewall -> SBC -> Register -> Broadsoft 60 SEC Phone <- Register (expire 60 Seconds) <- Firewall <- SBC <- Register (Expire 1 Hour) <- Broadsoft My question to the group, is has anyone implemented TCP based registration using Perimeta and Broadsoft? Dave
_______________________________________________ VoiceOps mailing list [email protected] https://puck.nether.net/mailman/listinfo/voiceops
