Assumes the user is familiar with navigating the SBCx000's WebUI
The RBA feature requires the latest ASM image. Be sure that the HQ ASM is upgraded to the latest image version.
Install the Lync Server Resource Kit on the Lync Server. You will want the Bandwidth Policy Server Monitor Application to verify the dynamic CAC Profile changes. See the Microsoft Lync Server site to obtain the Resource Kit and installation instructions.
The RBA Feature is only supported between two Sonus SBC nodes
The RBA Feature requires an ASM installed on the HQ SBC
The RBA Feature is included only in SBC version 3.0 or newer.
This quick start document shows the steps and interlational parameters required to configure a UX to successfully route calls. The configuration process of a UX should always begin with running a wizard; however, the wizard only needs to be run for the very first configuration.
There are many different architectures which might be used for connecting remote sites to a main site. The manual pages for this 3G4G feature specify a VLAN switch with the 3G4G and WAN networks sharing a single port of the UX.
The implementation below uses a 3G4G router connected to the remote LAN segment, thus dedicating the WAN connection to a SBC port. This configuration elminates then need for a VLAN-capable switch.
As a prerequisite to installing the RBA feature, check the following items:
- STUN Setting on the SBC
- Installed ASM Image
- RBA License
- DNS Configuration
Configure Send STUN Packets to Enabled in the Media | Media System Configuration.
If your HQ-side SBC was running version 2.2, you will need upgrade both the ASM image as well as the SBC firmware. The latest ASM image is available at support.net.com.
These instructions detail the use of an SBA image rather than the RBA image. Both images perform equivalent functions for the RBA implementations. In fact, a future SBC version will use a single image for both SBA and RBA. For now, you may use either the RBA or SBA image when installing the 3G4G Backnet feature.
Is your ASM running an SBA image compatible with your Lync Server? If you're running Lync 2013, be sure your ASM image is the Lync 2013 SBA image. The Lync 2013 SBA image is available from downloads.net.com.
Under the Tasks Tab | Application Solution Module | Reinitialize the pull-down selection will supply the possible images currently available on your ASM. Update your ASM images if you are implementing Lync Server 2013 and there is no Lync 2013 image available on your ASM.
Check the RBA License
Verify that your SBC is licensed for the RBA feature.
Add both SBCs to the DNS server. In the example, SBC2000 is the HQ SBC and SBC1000 is the remote network SBC. The DNS server is configured only with the LAN-side IP addresses of these nodes, 10.1.1.74 and 10.1.2.71, respectively.
Add the FQDNs and IP addresses for nodes that are part of the RBA feature:
- Remote-network SBC
- HQ SBC
- HQ ASM
- Lync Server
Lync Server Topology Configuration
The remote-network SBC must be added to the Lync Topology. Follow these steps:
- Open the Topology Builder
- Add a new Branch Site
- Add the SBC as a PSTN Gateway
Open the Lync Topology Builder
Start the Topo Builder
Enter Login Credentials
Download the Topology
Specify a Filename
New Branch Site
Add a new Branch Site. In the example, Taveuni is the new remote branch.
Right-click on Branch Sites and select New Branch Site
Enter the remote site identity
Configure the site details
New PSTN Gateway
Add sbc1000.sbc.net as Taveuni's PSTN Gateway.
The RBA function requires media bypass, which, in turn requires TLS/SRTP. Later this document, the remote PSTN gateway will be re-configured from TCP/RTP to TLS/SRTP. Employing the simplier TCP/RTP model will help ease the implementation by providing a phased approach to the implementation.
Finally, Publish the newly configured topology.
Lync Server Configuration
Create a new Site Voice Policy
Add a Site Policy
Select the remote site you just added to the Lync topology.
Add a new PSTN Usage
Supply a Name and Add a Route
Configure a call route pattern
Add a Trunk
Choose the newly added remote-network SBC
Click OKat each of the configuration layers
Commit New Site Voice Policy
Commit the changes to the Voice Policy
Click the Commit pulldown and Commit All
Verify Route and PSTN Usage
Verify the Route and PSTN Usages were added properly in the previous steps.
In the top navigation bar, click Route. Ensure that the route was added.
In the top navigation bar, click PSTN Usage. Ensure that the PSTN Usage was added.
Create a User New Dial Plan
Similar to the previous steps, the following configuration adds User templates as opposed to Site templates.
To enable the RBA function, Lync users will have User-level Dial Plans and Voice Policies. The next steps create those policies.
Click Dial Plan in the top navigation. Click New_and select _New User Plan.
Enter the information for your site and click OK.
Create A New User Voice Policy
Create the Voice Policy that will be used with for the remote-network users.
Click Voice Policy in the top navigation. Click New and select User Policy.
Fill in the form as shown using information for your particular installation.
Click New under Associated PSTN Usages.
Create a New PSTN Usage
Create a PSTN Usage to be used with the User-level policies.
Create a New PSTN Usage record.
Enter your site-specific configuration information.
Click Add for Associated Trunk
Select the remote-network SBC gateway
Click OKfor all the configuration layers.
Commit the additions to your Lync configuration.
Click the Commit pulldown, then select Commit All.
Verify the Route was added.
Verify the PSTN Usagewas added.
Add or Move a User into the New Remote Location
You will need to have a user homed to the remote-network location.
Click Users in the left-hand navigation. Enter the name of the user to move to the remote network and click Find.
In the Edit pulldown, select Show Details.
Set the Dial Plan and Voice Policy of the user to thos of the remote network Userpolicies.
Configure the Network Configuration
The Network Configuration controls how the CAC policies are applied. Follow the instructions to properly configure the Lync Network Configuration to interoperate with the RBA 3G4G link changes.
Click Network Configuration in the left-hand navigation. Click Global in the top navigation, click the Edit pulldown, and select Show Details.
Ensure that the CAC and Bypass options are selected. Change the settings and commit, if necessary.
Create a New Bandwidth Policy
Create a Bandwidth Policy to be used to control the CAC from the RBA function.
Click Bandwidth Policy in the top navigation and select New.
Enter the bandwidth specification for your remote network link, then click Commit.
Create a New Region
Create regions to be used with the RBA feature. There will be a region for the HQ, as well as the remote-network.
Click Region in the top navigation and select New.
Add a record for the remote region and Commit.
Click New to add the second region.
Add a record for the HQ site and Commit.
Create a new Site
Create sites to be used for the RBA function. Again, there will be a HQ site, as well as a remote site.
Click Site in the top navigation and select New.
Enter the information for your remote site. Click Commit.
Click New and enter the information for your HQ site. Click Commit.
Create New Subnets
IP addresses are used by the Lync Server to identify the origin of a Lync client. Create subnet records for both the HQ and remote network sites.
Click Subnet in the top navigation and select New.
Enter the IP network information for the remote network.
Click Newand enter the IP network information for the HQ network.
Create a Region Link
Create a Region Link between the sites.
Click Region Link in the top navigation and select New.
Using the pulldowns, select the HQ Region, the Remote Region and the Bandwidth Policy profile you previously created.
Create a New Region Route
Create a Region Route for the Region Link.
Click Region Route in the top navigation and select New.
Add the Network Regions as shown and add the newly created Region Link.
Domain Controller Configuration
The RBA ASM computer must be added to the Domain Controller as noted below. The computer must also be added to the RTCUniversalServerAdmins group.
On the Domain Controller, open the Server Manager
Add a new computer to Active Directory. You should have already selected a FQDN for the ASM module during the DNS Configuration section.
Input the name of the ASM computer
Add the computer to the RTCUniversalServerAdminsgroup
Configuring the RBA
Have you added the RBA as a computer in the Domain Controller and made it part of the RTCUniversalServerAdmins group?
Verify the ASM Board is Available using the Tasks Tab | Operational Statusselection
Click Setup SBA in the left-hand navigation
Click the ASM Config Tab and supply the information for your ASM. Click Apply.
Click the Domain tab and supply the domain information for your network. Click OK. It will take a minutes to add the ASM to the domain and reboot.
The Current Activity Panel will show when the domain join and rebooting processes are complete
Click the Deploy SBA tab and select Prepare SBA. This will install the necessary components for the ASM to process the CAC changes supplied by the remote-network SBC. It will take approximately 30 minutes for the installation to complete.
The RBA requires only the Prep SBA step. The other SBA deployment steps are not required.
Ensuring the WAN and IPsec traffic use the appropriate routes is crucial to successful RBA failover.
SBC 1000 Static Routes
Click the Settings Tab and select Static Routes as shown in the diagram
On the remote-network SBC, add a Static IP Route
Create a default route that points to the WAN interface on the HQ SBC. Set the Metric to 1.
Create another default route that points to the IPsec interface on the HQ SBC. Set the Metric to 2.
Default routes are required for the automated routing failover to function. Only use default routes.
Verify the newly added static routes
SBC 2000 Static Routes
On the HQ SBC, add specific subnet routes that point to the remote-network. One route should use the remote-network SBC's WAN connection (metric 1), the other should point to the Internet gateway (metric 2).
- When the WAN is up, the WAN-specific route to the remote-network will be used.
- When the WAN is down, the default Internet router will be used to send the traffic via the 3G4G carrier network.
SIP Server Tables and Signaling Groups
Configure the SIP Servers and Signaling Groups for both HQ and remote-network SBCs.
SBC 1000 SIP Server Table
Click SIP Server Tablesin the left-hand navigation
Add a SIP Server Table
Enter a description and click Apply.
Click the newly added SIP Server Table
Enter the information for the HQ SBC
SBC 1000 Signaling Groups
Click Signaling Groupsin the left-hand navigation. Add a Signaling Group for the HQ SBC.
Add the information to the newly added SG.
SBC 2000 SIP Server Table
On the HQ SBC, add a SIP Server Table that points to the remote-network SBC
SCB 2000 Signaling Groups
On the HQ SBC, add a Signaling Group that points to the remote-network SBC
On both SBCs, ensure that the Signaling Groups come Up
On the HQ SBC, verify that the Routing Table shows the route to the remote network using the WAN IP address of the remote SBC. In this case, the route to 10.1.2.0 (remote network) uses the remote SBC's 126.96.36.199 as the gateway.
Testing Connectivity over the WAN Link
Using a Command Prompt window from a PC on the remote network.
Ping the FQDN of the remote SBC. It should return remote-side private IP address (10.1.2.71 in this example).
Then ping the FQDN of the HQ SBC. It should return the IP address on the private side of the HQ network (10.1.1.74 in the example, not188.8.131.52)
- Ping the FQDN of the Lync Server
- Ping the FQDN of the Domain Controller
- Ping the FQDN of the DNS Server
- Ping the FDQN of the RBA
All the returned IP addresses must be on the private-side of the HQ network (e.g. 10.1.1.x)
From a PC on the HQ side of the network
Ping the FQDN of the Remote SBC. It should return a remote LAN IP address.
- Ping a PC on the remote LAN. Check that the default router on the remote LAN PC is set to the (remote) SBC's LAN interface address (10.1.2.71 in the example).
Test a Lync to Lync Call
At this point you should be able to call Lync-to-Lync over the WAN.
Creating the IPsec Tunnel
Use the following steps to configure an IPsec tunnel between the remote and HQ SBCs.
SBC1000 IPsec Configuration
The following steps configure the remote SBC to generate an IPsec tunnel to the HQ SBC when the WAN is down.
Click IPsec | Tunnel Tablein the left-hand navigation.
Add a Tunnel Table
- Enter the configuraton information for your IPsec tunnel.
- The Local Subnet Address must be programmed with IP information for the remote network.
The Remote Subnet Addressmust be programmed with IP information for the HQ network.
SBC2000 IPsec Tunnel Configuration
The following steps configure the HQ SBC to receive an IPsec tunnel from the remote SBC when the WAN is down.
Configure an IPsec tunnel on the HQ SBC with information appropriate to your network. On the HQ SBC, the Local Subnet Address is the HQ network, the Remote Subnet Addressis the remote network subnet(s).
In this section you will test the IPsec tunnel to ensure connectivity exists when the WAN link is down.
Preparing for Verification
- Pull the cable from the WAN port on the Remote SBC. You must pull the cable from the WAN port on the Remote SBC for this verification step. Downing the WAN port results in automatically disabling the WAN IP route.
Manually remove the WAN Route from the HQ SBC
On the Remote SBC, use the refresh button to verify the Service Status is Link Up.
The Signaling Groups should come back up after the IPsec tunnel is esablished.
Verifying PC Connectivity
From a remote LAN PC, ping the FQDN of the HQ SBC. Note that the Round Trip Time (time) is much longer than that for the ping over the WAN link.
- Make a Lync call from between remote and HQ lync clients. The clients should ring and answer.
Re-add the HQ SBC WAN Route
Before proceeding, replace the HQ SBC WAN route to the remote SBC.
Configuring for Automated Switchover
With the successful testing of the static IPsec tunnel, it is time to make the tunnel dynamic so that the 3G4G link is only used activated when the WAN is down.
Modify the Remote SBC IPsec Tunnel Activation to Link Monitor Action and click OK.
SBC 1000 CAC Profiles
The CAC profiles are transmitted to the Lync Server via the HQ SBC when the WAN transitions link states.
Create the CAC Profiles on the Remote SBC
Click WAN in the left-hand navigation and select CAC Profiles.
Create a profile for the WAN up situation. Set the bandwidths according to your desired WAN link configuration and capacity. Click Applywhen finished.
Now, create a CAC profile for WAN down. Setting the Bandwidth State to Disabledresults in any HQ<>remote-network calls being routed over the PSTN.
SBC 1000 Link Monitor Configuration
The Link Monitors provide the ability for the remote SBC to know whether the WAN is up and available.'
Click Link Monitor Configuration
Add a monitor to monitor the public IP interface of the HQ SBC and click Apply.
Add a monitor to monitor the 3G4G router port. Associate this Link Monitor with the IPsec Tunnel you recently created. With this link activated (due to WAN down), the IPsec tunnel will be automatically started.
Verify the following tables on the remote SBC
SBC 2000 Link Monitor Configuration
Configure a Link Monitor on the HQ SBC in order that it may dynamically adjust its internal routing table when the WAN link switches. The Link Monitor is configured to monitor the WAN side only.
Create a fake CAC entry. This entry will be ignored for purposes of bandwidth adjustment.
Create a Link Monitor that monitors the WAN interface of the remote SBC.
Verify the condition of the routes and IPsec links.
WAN Link Up
With the WAN link up, the HQ SBC routing table and Link Monitor should resemble the following.
With the WAN link up, the remote SBC's routing table should point to the WAN interface on the HQ SBC.
The Link Monitor Table should be Readyon the WAN link
The IPsec tunnel should be Link Down
Verify the Lync Bandwidth Profile using the Bandwidth Policy Service Monitor, which is installed as a component of the optional Lync Server Resource Kit (available from the Microsoft Lync Server website).
Open Windows Explorer to C:\Program Files\Microsoft Lync Server 2013\ResKit\BandwidthPolicyServiceMonitor and select PDPMonUI.exe.
Expand the server name in the left-hand navigation and select the expanded server.
Click the Topology Infotab
Verify the bandwidth settings are for the WAN up values.
Test a call between a HQ and Remote Lync client. Calls between HQ and Lync clients should connect directly over the WAN without need for a PSTN connection.
WAN Link Down
Downing the WAN Link should result in the following status. With the WAN link down, verify your implementation to the following:
HQ SBC Status
On the HQ SBC, the WAN Link Monitor should show down and the IPsec tunnel up.
Remote SBC Status
On the Remote SBC, the Link Monitor should show the 3G4G link up, the WAN link down, and the IPsec tunnel up.
Within two or three minutes, the Bandwidth Policy should automatically update to the WAN down bandwidth values.
Test a call between a HQ and Remote Lync client. In the WAN down condition, you should be able to call between HQ and Remote Lync clients. The calls should utilize the PSTN connection between the SBCs.
Remember, for Lync implementations, the SBC is a PSTN gateway for the Lync Server. When in the WAN down condition, the Lync server will send calls to the remote PSTN (SBC) gateway. You must configure the customary SBC routes and transformation tables that would be used for calls to/from Lync.
Setting the Remote SBC to TLS
The remote SBC must beconfigured to TLS/SRTP in order for the remote Lync clients to send calls over the PSTN during a 3G4G failover. The following steps will assist you in configuring the Lync Server and remote SBC for TLS/SRTP.
On the Lync Server, start the Topology Builder and Edit Properties for the remote site Trunk.
Change the port and configuration to support TLS as shown.
Publish the topology.
Certificate for the SBC
Certificates are required for TLS/SRTP functionality. The following steps will assist you in installing certificates on the remote SBC.
Click the Taskstab.
Click Lync Setupin the left-hand navigation
Obatin the root certificate from your network administrator and copy it to your PC. From the webui, click Import Trusted CA Certificateas shown.
Set the Mode to File Upload and Browseto find the file containing the root certificate.
Click OKto import the root certificate.
Click the Generate CSRto generate a certificate request for the SBC. You will send this certificate request to be signed by the your certificae authority.
Copy and paste the certificate request into a file and send it to your root certificate authority for signing.
When the signed certificate is returned, click the Sonus SBC Certificatetab and import the certificate.
Set the Mode to File Upload and Browseto find the file containing the SBC certificate.
Verify the SBC and root certificates
Setting the SIP Server and Signaling Group for TLS/SRTP
On the remote SBC, set/create the Lync Server SIP Server as shown.
Set/create a Lync Server Signaling Group as shown.
The Lync Server Signaling Group should come up
RBA Data Flows
WAN Up Flow
WAN Down Instant Message Flow
WAN Down Lync-to-Lync Call Flow
- As an IP router, the SBC forwards the SIP request from the remote Lync to the Lync Server
- Lync server sends a SIP request to the remote SBC (as a SIP --> PSTN gateway)
- Remote SBC dials the HQ SBC via PSTN
- HQ SBC (as a SIP Gateway) sends a SIP request to the Lync server
- Lync Server sends SIP Request to the HQ Lync client
- Remote Lync client audio bypasses directly to the remote SBC.
This section contains troubleshooting tips and suggests for various issues that may arise during RBA implementation.
Prepare SBA not run
A wireshark trace which shows an exception due to an unrecognized cmdlet is likely due to the Prep SBA function not being executed. Review the Configuring the RBA section of this document.
RBA computer not a member of RTCUniversalServerAdmins group
Should the CAC bandwidths fail to change when the active link is switched between the WAN and the 3G4G link and this message appears in the RBA system Event Log, then the RBA computer (ASM) is not a member of the RTCUniversalServerAdmins group. See the Domain Controller Configuration section of this document.
A gpresult comamnd run from directly from the RBA computer (ASM) which shows that the computer is not a member of the RTCUniversalServerAdmins group.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 4/5/2013 at 9:07:11 AM
RSOP data for SBC\Administrator on RBA1 : Logging Mode
OS Configuration: Member Server
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
Last time Group Policy was applied: 4/5/2013 at 8:06:36 AM
Group Policy was applied from: demo4.sbc.net
Group Policy slow link threshold: 500 kbps
Domain Name: SBC
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
System Mandatory Level
NT AUTHORITY\Authenticated Users
Service Status Stays Yellow
Check the routing table on the remote SBC. The remote SBC must use default routes (0.0.0.0/0) rather than network routes.
OPTIONS with Carrier's IP address
If the HQ SBC receives OPTIONS with the 3G4G carrier's source IP address, then the configured routing or hosts are incorrect. Make sure that the SBC are configured to use only the LAN interface addresses.
RBA Command Working Properly
This wireshark trace shows a properly working cmdlet to change the CAC bandwidth policies.