|
  |
| Author |
Message |
wsadkin
Brekeke Member
Joined: 14 Nov 2010
Posts: 17
Location: Massachusetts
|
 Posted: Wed Nov 06, 2013 4:01 pm Post subject: How to: Registering when client and BSS on same host |
 |
|
1. Brekeke Product Name and Version: sip3_2_4_3
2. Java version: jre-6u19-windows-i586
3. OS type and the version: Windows 7
4. Other equipment: Nuance NVP4, Avaya/Genband A2
I am trying to see if I can use the BSS as a B2BUA to work around a problem I'm having with the field Remote-Party-ID in incoming INVITE packets from the Genband switch.
Long story short: In order to test this, I've had to install Brekeke on the same host as my SIP client, and now need it to listen on 5060, have my client sit on 5061, and have Brekeke register as though it were my client, and rewrite packets using the dial plan to make NVP4 happy.
Without Brekeke, I've successfully registered our client using the standard 5060 port, with my client setting its LocationServerURI to one value (the customer's DNS server), and its ProxyServerURI to another (the actual registrar.)
I've tried setting the client's proxyServerURI to sip:localhost, and then setting the BSS to do both upper and thru registration, setting the "Register Server" to the same value that the client's ProxyServerURI used to be (sip:10.65.227.178). Neither strategy works; no registration packets leave the host for the external proxy server for the registration.
I have no idea how to properly configure the BSS or my client to get this done, and I need better instructions than I've found in the manuals and wiki, as they don't seem to cover this configuration.
Help! |
|
| Back to top |
|
hope
Brekeke Master Guru
Joined: 15 Jan 2008
Posts: 862
|
| Posted: Wed Nov 06, 2013 5:10 pm Post subject: |
|
|
have you try set client
LocationServerURI: destination server IP
ProxyServerURL: Brekeke SIP Server IP |
|
| Back to top |
|
Mcgee
Brekeke Member
Joined: 27 Mar 2008
Posts: 18
|
| Posted: Wed Nov 06, 2013 7:42 pm Post subject: |
|
|
> its LocationServerURI to one value (the customer's DNS server),
What does it mean? Is it unresolvable FQDN?
Anyway.. you need to decide to use either Upper Registration or Thru Registration
If you use the Upper Registration:
- Disable the Thru Registration.
- Set 10.65.227.178 in Upper Registration's [Register Server]
- Set sip:127.0.0.1:5060 in both ProxyServerURI and LocationServerURI.
If you use the Thru Registration:
- Disable the Upper Registration.
- Set sip:127.0.0.1:5060 in ProxyServerURI
- Set sip:10.65.227.178:5060 in LocationServerURI.
Also, I recommend you use 15050 instead of 5061 for SIP client .
This is because the port 5061 is designed for SIP over TLS. |
|
| Back to top |
|
wsadkin
Brekeke Member
Joined: 14 Nov 2010
Posts: 17
Location: Massachusetts
|
| Posted: Thu Nov 07, 2013 10:19 am Post subject: |
|
|
| Hope wrote: |
have you try set client
LocationServerURI: destination server IP
ProxyServerURL: Brekeke SIP Server IP |
@Hope: Yes, I tried that, in both upper and thru modes; No upper or thru registration ensued, according to wireshark. One fundamental problem here is that there isn't just one "destination server" involved (see below.)
| Mcgee wrote: |
> its LocationServerURI to one value (the customer's DNS server),
What does it mean? Is it unresolvable FQDN? |
@Mcgee: For this customer, the machine fielding the REGISTER requests (the ProxyServer) is not the same as the machine that validates the user credentials; that is, the LocationServerURI has to be set to a value like sip:clientcompany.com (which knows nothing about SIP, but knows about valid users), while the ProxyServerURI is the the machine actually fielding the REGISTER requests, and handling the SIP details, ie. sip:10.65.227.178.
To be clearer about this, when I successfully register without the BSS, with:
LocationServerURI = sip:clientcompany.com
ProxyServerURI = sip:10.65.227.178
UserAgentID = 3948078
then what the generated REGISTER packet looks like is:
Internet Protocol Verion 4, Src: 10.77.255.82 (10.77.255.82), Dst: 10.65.227.178 (10.65.227.178)
User Datagram Protocol, Src Port: sip (5060), Dst Port: sip (5060)
REGISTER sip:clientcompany.com SIP/2.0
Via: SIP/2.0/UDP 10.77.255.82:5060;branch=z9hG4bK-d8754z-cc4b2b253d30900f-1---d8754z-
Max-Forwards: 70
Contact: <sip:3948078@10.77.255.82:5060;rinstance=f51460280a407b1a>
To: <sip:3948078@clientcompany.com.com>
From: <sip:3948078@clientcompany.com.com>;tag=b841770f
Call-ID: ZjU4YmYwYTZmZGIzODMxNjU0MjA2OWJkNzQ0MzQwMGE.
CSeq: 1 REGISTER
Expires: 3600
Allow: INVITE, ACK, CANCEL, BYE, REFER, NOTIFY, INFO, OPTIONS
Supported: timer
User-Agent: NVP/4.0.2-CT88180
Content-Length: 0
Note that the destination for this packet is where I've set the ProxyServerURI to, whereas the REGISTER request line indicates that we're trying to register with the LocationServerURI. That entity is responsible for (I think) validating that the user trying to register is a valid user, but the machine handling the SIP conversation is the ProxyServer.
(I don't see any way to make this distinction in the BSS, by the way, which worries me, as it's absolutely required for successful registration in this environment.)
| Mcgee wrote: |
Anyway.. you need to decide to use either Upper Registration or Thru Registration
If you use the Upper Registration:
- Disable the Thru Registration.
- Set 10.65.227.178 in Upper Registration's [Register Server]
- Set sip:127.0.0.1:5060 in both ProxyServerURI and LocationServerURI.
If you use the Thru Registration:
- Disable the Upper Registration.
- Set sip:127.0.0.1:5060 in ProxyServerURI
- Set sip:10.65.227.178:5060 in LocationServerURI. |
I've tried both of these, with no success; in neither case does any packet traffic go out over the NIC. I also don't understand, in the former case, how I would make the BSS then make its own equivalent distinction between the LocationServer and the ProxyServer, and for the latter case, I don't see how I can get the BSS to talk to the real ProxyServer, since the "Register Server" is only settable for Upper Registration.
| Mcgee wrote: |
Also, I recommend you use 15050 instead of 5061 for SIP client .
This is because the port 5061 is designed for SIP over TLS. |
Good to know; FTR, I tried that as well, but it made no difference in solving my problem...
I'm beginning to think that the BSS can't do what I need... |
|
| Back to top |
|
Harold
Brekeke Master Guru
Joined: 21 Sep 2008
Posts: 287
Location: Japan
|
| Posted: Thu Nov 07, 2013 10:42 pm Post subject: |
|
|
Set
Thru Registration = on
Upper Registration = off
And add the following DialPlan rule.
| Matching Patterns | $request = ^REGISTER
To = @clientcompany.com.com
| | Deploy Patterns | $target = 10.65.227.178
$continue = true
|
Also set the following in the NVP4.
----------------------------------------------
LocationServerURI = sip:clientcompany.com
ProxyServerURI = sip:localhost
UserAgentID = 3948078
---------------------------------------------- |
|
| Back to top |
|
wsadkin
Brekeke Member
Joined: 14 Nov 2010
Posts: 17
Location: Massachusetts
|
| Posted: Mon Nov 11, 2013 4:26 pm Post subject: |
|
|
| Harold wrote: |
Set
Thru Registration = on
Upper Registration = off
And add the following DialPlan rule.
| Matching Patterns | $request = ^REGISTER
To = @clientcompany.com.com
| | Deploy Patterns | $target = 10.65.227.178
$continue = true
|
Also set the following in the NVP4.
----------------------------------------------
LocationServerURI = sip:clientcompany.com
ProxyServerURI = sip:localhost
UserAgentID = 3948078
---------------------------------------------- |
Thanks Harold; I tried this, but in my NVP logs, I'm seeing the return response for NVP's attempt to register with the above settings:
{
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 10.77.255.82:5070;branch=z9hG4bK-d8754z-d038b11d6c304234-1---d8754z-
To: <sip:3948078@bhs.bannerhealth.com>;tag=b39096166s
From: <sip:3948078@bhs.bannerhealth.com>;tag=c86fda06
Call-ID: NDI2OWU1NmNiZDI5NzM1ZTEwZWE5NmFjOTA1M2Y1NWM.
CSeq: 3580 REGISTER
Server: Brekeke SIP Server rev.367 Evaluation
Content-Length: 0
}
(and no SIP traffic logged in the BSS' sv logs, nor any errors that I can find.)
Is registration crippled in the eval version of the BSS, or is there still some configuration parameter I'm missing? |
|
| Back to top |
|
Harold
Brekeke Master Guru
Joined: 21 Sep 2008
Posts: 287
Location: Japan
|
| Posted: Tue Nov 12, 2013 10:41 am Post subject: |
|
|
Have you created a user account in the SIP Server? (in the [User Authentication] page.)
If the authentication failed, the server rejects REGISTER with "403 Forbidden".
Create a user in the [User Authentication] page, and set the same username and password in the NVP.
If 10.65.227.178 also requests an authentication, disable the [REGISTER Authentication] in the [Configuration]->[SIP] page. |
|
| Back to top |
|
wsadkin
Brekeke Member
Joined: 14 Nov 2010
Posts: 17
Location: Massachusetts
|
| Posted: Tue Nov 12, 2013 12:01 pm Post subject: |
|
|
| Harold wrote: |
Have you created a user account in the SIP Server? (in the [User Authentication] page.)
If the authentication failed, the server rejects REGISTER with "403 Forbidden".
Create a user in the [User Authentication] page, and set the same username and password in the NVP.
If 10.65.227.178 also requests an authentication, disable the [REGISTER Authentication] in the [Configuration]->[SIP] page. |
Oops. (DUH.)
Ok, with an appropriate user defined in the BSS, (thanks Harold!) I got the Thru registration to work, but now when I place a call to the system, in response to this INVITE:
INVITE sip:3948078@10.77.255.82:5060;rinstance=6268fa26a8066f15 SIP/2.0
From: "Unknown name"<sip:bimcmg1@clientcompany.com>;tag=4649
To: "SIPLineUser SIPLineUser"<sip:3948078@clientcompany.com>
Call-ID: 06acf9d424cbc461112d66b3423835a3c611ac@10.65.227.178
CSeq: 81685 INVITE
Via: SIP/2.0/UDP 10.65.227.178:5060;branch=z9hG4bK-3832cf-db867bc3-12d1df9a
Content-Type: application/sdp
Contact: <sip:7813062200@10.65.227.178:5060;user=phone>
User-Agent: Nortel SESM 14.1.7.2
Max-Forwards: 20
Supported: com.nortelnetworks.firewall,p-3rdpartycontrol,nosec,join,x-nortel-sipvc,gin,com.nortelnetworks.im.encryption,replaces
Remote-Party-ID: "Unknown name" <sip:7813062200@clientcompany.com;user=phone>;screen=yes;screen-ind=0;party=calling;counter=0;npi=NPI_UNKNOWN;ton=TON_UNKNOWN
P-Asserted-Identity: "Unknown name" <sip:7813062200@clientcompany.com;user=phone>
Allow: UPDATE,REFER
x-nt-corr-id: 6b5506f0-0b0c-dd17-0104-000000000000
x-nt-location: -1
P-Charging-Vector: icid-value=6b5506f0-0b0c-dd17-0104-000000000000;icid-generated-at=10.65.227.80
Content-Length: 254
v=0
o=AudiocodesGW 74517686 74517379 IN IP4 10.17.239.116
s=Phone-Call
e=unknown@invalid.net
c=IN IP4 10.17.239.116
t=0 0
m=audio 7680 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=sendrecv
the BSS generates the following error in its error.log:
1384281780485, 10.65.227.178:5060, INVITE, 407, Authorization failed, sip:3948078@10.77.255.82:5060, sip:bimcmg1@clientcompany.com, sip:3948078@clientcompany.com, , Nortel SESM 14.1.7.2
(There is nothing logged in the sv log, even though I've asked it to log all SIP traffic, and AFAICT, there was no communication about the INVITE with the NVP4 service.)
This results in a 407 Proxy Authentication Required response from the BSS back to the SBC, viz:
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 10.65.227.178:5060;branch=z9hG4bK-3832cf-db867bc3-12d1df9a
From: "Unknown name"<sip:bimcmg1@clientcompany.com>;tag=4649
To: "SIPLineUser SIPLineUser"<sip:3948078@clientcompany.com>;tag=b62fbc088s
Call-ID: 06acf9d424cbc461112d66b3423835a3c611ac@10.65.227.178
CSeq: 81685 INVITE
Server: Brekeke SIP Server rev.367 Evaluation
Proxy-Authenticate: Digest realm="Realm",nonce="a2b64474d1804a502f03ce570b8f3b28b3655f5a",algorithm=MD5
Content-Length: 0
(I've never seen this before.)
We get an ACK, but nothing further occurs in the call setup, and the phone just rings...
Why does the SBC sending an INVITE to us now require "proxy authentication," and now what do I need to do to get the thing to take the call?
(Thanks in advance) |
|
| Back to top |
|
wsadkin
Brekeke Member
Joined: 14 Nov 2010
Posts: 17
Location: Massachusetts
|
| Posted: Tue Nov 12, 2013 12:06 pm Post subject: |
|
|
Nevermind. I found my own answer: I had left/accidentally set? the toggle for INVITE under the Authentication section set to ON vs. OFF. Once I turned that off, then it answered the call.
Now on to getting the packets rewritten!
Thanks, again, Harold!
/Will Sadkin |
|
| Back to top |
|
Harold
Brekeke Master Guru
Joined: 21 Sep 2008
Posts: 287
Location: Japan
|
| Posted: Tue Nov 12, 2013 3:19 pm Post subject: |
|
|
The INVITE Authentication is "on" in the default.
I recommend you keep it "on" for protecting the server.
It seems 10.65.227.178 (Nortel SESM) doesn't send re-INVITE after 407 response.
If 10.65.227.178 is a trusted IP address, put the following rule in the top of the DialPlan rule page.
| Matching Patterns | $request = ^REGISTER|^INVITE
$addr = ^10.65.227.178|^127.0.0.1
| | Deploy Patterns | $auth = off
$continue = true
|
The above DialPlan rule disables INVITE and REGISTER Authentication if a packet came from 10.65.227.178 or 127.0.0.1.
It means the SIP Server requests Authentication to other remote IP addresses. |
|
| Back to top |
|
|
|
|
|
