Define Deployment Configuration
The MiCollab server
can be deployed in a variety of ways, depending on which services and
applications you wish to provide, where your users are located, and whether
you are using a physical or virtual system.
NOTE: User configuration data can
be downloaded three times, before it expires. Deployment data is deleted
after six weeks.
MiCollab is deployed
with MiCollab Client
Deployment, however, the following basic configuration scenarios are recommended:
NOTE: A trusted third party SSL
certificate is required for MiCollab Client Deployment. Install the certificate
on the MBG in the DMZ and on the MiCollab on the LAN.
Use these scenarios to obtain an overview of the conditions and settings
that you need to employ. For detailed instructions, refer to the documents
provided with MiCollab,
MBG and MiCollab Client Deployment.
For other deployment configuration examples, see the MiCollab Engineering
Guidelines.
NOTE: The MBG
Web Proxy is not supported directly on a MiCollab
server in either LAN mode or Network Edge mode.
NOTE: For sites using Integrated
Directory Services, users may need to manually enter their Active Directory
credentials on their phone after deployment.
MiCollab
in LAN Mode Clustered with MBG(s) in the DMZ
This solution consists of MiCollab
on the corporate LAN and one or more MBGs
providing Teleworker and Web Proxy services in the DMZ. The Teleworker
service is employed on both the MiCollab
and MBG systems
while the Web Proxy Service is provided only by the MBGs.
The Teleworker service in MiCollab
is only used to remotely manage the Teleworker phones that are configured
on the MBGs.
To support this configuration, install the MiCollab
server with the MBG
application in the LAN and install one or more standalone MBG servers in the DMZ. Then
create a cluster that ties the MBGs together.
Conditions
The MiCollab
server on the LAN must be configured in "Server-only on LAN"
mode and the MBG(s)
in the DMZ must be configured in "Server-only on DMZ" mode.
(Note that MBG
clustering is only supported for MiCollab
systems that are configured in "Server-only on LAN" mode.)
The MBGs
in the DMZ must be routable to the MiCollab
server on the LAN.
All MBGs
must have the same software version. This ensures support for the
full range of MBG
features and services.
The MBG
on MiCollab
and the MBG(s)
in the DMZ must be added to a cluster. Clustering provides the following
benefits:
Allows data (including Teleworker services) to be managed
from the MiCollab
application.
Enables licence pooling. Note that, although licences are
pooled, it is recommended that you purchase all Teleworker service
licenses for the MBG(s) located in the DMZ in order to avoid licensing
issues.
The MiCollab and MBG nodes must reside in separate
logical zones. Use the default zone for the node located on the LAN
(which you may rename) and create a new zone for the nodes located
in the DMZ.
MiCollab
in LAN Mode Clustered with MBGs in the DMZ
Key Settings
The following table lists the key settings required to successfully
program the systems (MiCollab,
MBGs, firewall)
in conjunction MiCollab Client
Deployment. For a complete programming instructions, refer to the appropriate
product documentation.
Feature |
System |
Configuration |
Installing the
Systems |
MiCollab |
Install MiCollab
on the LAN:
Install and configure the MSL operating system software,
configuring only the "Local" (internal) adapter. Enter the ARID and install the application software. |
MBGs |
Install MBG(s)
in the DMZ:
Install and configure the MSL operating system software,
configuring only the "Local" (internal) adapter. Enter the ARID. Configure the network profile:
Under Applications,
select MiVoice Border
Gateway. Select System Configuration
> Network Profiles. Select Server-only
on network DMZ. Click Apply. Configure the SIP options:
Under System Configuration,
select Settings. For SIP support
the recommended setting is TLS.
To support SIP resiliency, select TLS or TCP. Configure
matching values in the MiCollab Mobile Client
deployment profiles (below). For Allowed URI
names, enter the addresses that MBG should accept
in SIP requests, in addition to its own. For example,
if DNS is being used to resolve the MiCollab
server on the LAN, enter its server name in FQDN format
(mycompany.com). Configure matching values in the MiCollab Mobile Client
deployment profiles (below). Configure the LAN server web proxy:
Under Applications,
select Remote proxy services. Select Add new
LAN server proxy. Enter the WAN-side
FQDN of MiCollab Client Deployment. Select MiCollab
as the server type and Deployment
Unit as the user interface. Enable the new server and click Save.
NOTE: To share MBG
configuration data (but not IP addresses or network profiles)
amongst the systems, create a cluster. See below for instructions. |
Configuring
the Firewall |
Firewall
|
Program firewall rules
to allow the Client Deployment Service – which resides on
your MiCollab Server – to reach the Redirect Servers (mcdepl01.easydeploy.net
and mcdepl02.easydeploy.net) on port 443/tcp. This is required
to send data to the Redirect Servers which help the clients
to find the respective MiCollab server and which will also
send the deployment emails to the end user’s email address.
If you are using MBG
Teleworker service in the DMZ, consult the MiCollab Engineering
Guidelines for a description of the port usage and firewall
settings. |
Clustering the
MBGs |
MiCollab and MBGs |
Create a cluster:
Access the MiCollab
MBG
and create a new cluster:
Designate the MiCollab MBG
as a master by clicking Create
a cluster. Enter the IP address of the server you have selected
to be the slave as the IP
Address of peer node. Click Save. Access the slave MBG
and add it to the cluster:
Designate the MBG as a slave
by clicking Join. Enter the IP address
of the master server as the IP
Address of peer node. Click Save. Synchronize the master/slave databases. Set the weight of both the master and slave to 100. If there are any other MBGs
in the DMZ, add them as slaves and adjust their weight value
to 100.
Subdivide the cluster into two logical
zones:
Access the MiCollab
MBG
and add a new cluster zone called "DMZ". Rename
the "Default" zone as "LAN" zone, add
the current node to it, and set "DMZ" as the backup
zone. (You can use other names if you wish.) Access the MBGs
in the DMZ, add them to the "DMZ" zone, and set
the "LAN" as the backup zone. Direct LAN-based devices to the a "LAN" zone
and Internet-based devices to the "DMZ" zone. |
Configuring
MiCollab Client
Deployment |
MiCollab |
Connect to the MBG(s):
Access MiCollab Client
Deployment and create a connection to an MBG
in the DMZ. First enter configuration details and then generate
an authentication request. Access the MBG
in the DMZ, open Web Services, approve the authentication
request and copy the verifier. Access MiCollab Client
Deployment and paste the verifier into the newly created MBG connection. The
connection is validated with a token. If there are any other MBGs
in the DMZ, connect to them to the MiCollab Client
Deployment as described above.
Create deployment profiles for the MBG(s):
Access the MiCollab Client
Deployment and either modify the default profile (which is
currently associated with the local MBG) or add a new profile. Configure the profile, ensuring that the following settings
are correct:
Use
Teleworker - Select to enable Teleworker clients to
register via the MBG instead of directly to the PBX. MBG
- Select the MBG
connection in the DMZ that this profile will employ. Config
download host - Specify where clients can download
the configuration. To have clients connect using DNS, select
MiCollab Server FQDN
or Custom. In most
cases, you will need to set this to Custom
and enter the FQDN of the MBG configured in external
DNS. If multiple MBGs
are providing SIP device resiliency, a single FQDN can be
used to resolve to them. For example, use mycompany.com to
resolve to mbg1.mycompany.com and mbg2.mycompany.com. MBG
SIP host - Specify on which interface that Teleworker
clients must use to register via the MBG.To
have clients connect using DNS, select MBG’s FQDN or
Custom DNS SRV and
enter the FQDN of the MBG configured in external DNS. If multiple
MBGs
are providing SIP device resiliency, a single FQDN can be
used to resolve to them. For example, use mycompany.com to
resolve to mbg1.mycompany.com and mbg2.mycompany.com.
NOTE: If DNS is used to resolve
a single FQDN to multiple hosts, you must enter this FQDN in the
Allowed URI names field
in the MBG configuration settings.
If there are any other MBGs
in the DMZ, create deployment profiles for them.
NOTE: Because the MiCollab server is in LAN
mode, there is no need to use its local MBG
in a deployment profile.
Assign deployment profiles to users:
Access MiCollab Client
Deployment and either modify an existing user or add a new
user. Select the deployment profile that this user account
will employ.
NOTE: It is also possible to
assign deployment profiles using templates in the Users and Services
application. For conditions and configuration instructions, refer
to the MiCollab
documentation. |
Add Web Server
Certificate |
MBGs and MiCollab |
You are required to purchase a Third-Party
SSL Certificate and install it on the MBG(s)
in the DMZ and the MiCollab
on the LAN. See Certificate
Installation: MiCollab Server in LAN Mode. |
MiCollab
in LAN Mode Clustered with MBG(s) on the Network Edge
This solution consists of MiCollab
on the corporate LAN and one or more MBGs
providing Teleworker and Web Proxy services on the network edge. The Teleworker
service is employed on both the MiCollab
and MBG systems
while the Web Proxy Service is provided only by the MBGs.
The Teleworker service in MiCollab
is only used to remotely manage the Teleworker phones that are configured
on the MBGs.
To support this configuration, install the MiCollab
server with the MBG
application in the LAN and install one or more standalone MBG servers on the network
edge. Then create a cluster that ties the MBGs
together.
Conditions
The MiCollab
server on the LAN must be configured in "Server-only on LAN"
mode and the MBG(s)
on the network edge must be configured in "Server-only on network
edge" mode. (Note that MBG
clustering is only supported for MiCollab
systems that are configured in "Server-only on LAN" mode.)
The MBGs
on the network edge must be routable to the MiCollab
server on the LAN.
All MBGs
must have the same software version. This ensures support for the
full range of MBG
features and services.
The MBG
on MiCollab
and the MBG(s)
on the network edge must be added to a cluster. Clustering provides
the following benefits:
Allows data (including Teleworker services) to be managed
from the MiCollab
application.
Enables licence pooling. Note that, although licences are
pooled, it is recommended that you purchase all Teleworker service
licenses for the MBG(s) located in the DMZ in order to avoid licensing
issues.
The MiCollab and MBG nodes must reside in separate
logical zones. Use the default zone for the node located on the LAN
(which you may rename) and create a new zone for the nodes located
on the network edge.
MiCollab in LAN Mode Clustered with MBG
on Network Edge
Key Settings
The following table lists the key settings required to successfully
program the systems (MiCollab, MBGs,
firewall) in conjunction with MiCollab Client
Deployment. For a complete programming instructions, refer to the appropriate
product documentation.
Feature |
System |
Configuration |
Installing the
Systems |
MiCollab |
Install MiCollab
on the network edge:
Install and configure
the MSL operating system software, configuring only the "Local"
(internal) adapter. Enter the ARID
and install the application software. |
MBGs |
Install MBG(s)
on the network edge:
Install and configure
the MSL operating system software, configuring the "Local"
(internal) and "WAN" (external) adapters. Enter the ARID. Configure the
network profile:
Under Applications, select
MiVoice Border Gateway. Select System Configuration > Network
Profiles. Select Server-gateway on network edge. Click Apply. Configure the
SIP options:
Under System Configuration,
select Settings. For SIP support
the recommended setting is TLS.
To support SIP resiliency, select TLS or TCP. Configure
matching values in the MiCollab Mobile Client
deployment profiles (below). For Allowed URI
names, enter the addresses that MBG should accept
in SIP requests, in addition to its own. For example,
if DNS is being used to resolve the MiCollab
server on the LAN, enter its server name in FQDN format
(mycompany.com). Configure matching values in the MiCollab Mobile Client
deployment profiles (below). Configure the LAN server
web proxy:
Under Applications, select
Remote proxy services. Select Add new LAN server proxy. Enter the
WAN-side FQDN
of the MiCollab Client Deployment. Select MiCollab as the server
type and Deployment Unit
as the user interface. Enable the
new server and click Save. Enable MiCollab Client connector:
Under
Service configuration, select
Application integration. Under Mobile
Client, select Mobile
Client connector enabled and enter the Mobile Client
hostname or server IP address.
NOTE:
To share MBG
configuration data (but not IP addresses or network profiles)
amongst the systems, create a cluster. See below for instructions. |
Configuring
the Firewall |
Firewall |
If
you are using MBG
Teleworker service on the network edge, consult the MiCollab Engineering
Guidelines for a description of the port usage and firewall settings. |
Clustering the
MBGs |
MiCollab and MBGs |
Create a cluster:
Access the MiCollab MBG and create a new
cluster:
Designate the MiCollab MBG
as a master by clicking Create
a cluster. Enter the IP address of the server you have selected
to be the slave as the IP
Address of peer node. Click Save. Access the slave MBG
and add it to the cluster:
Designate the MBG as a slave
by clicking Join. Enter the IP address
of the master server as the IP
Address of peer node. Click Save. Synchronize the
master/slave databases. Set the weight
of both the master and slave to 100. If there are
any other MBGs
on the network edge, add them as slaves and adjust their weight
value to 100.
Subdivide the cluster into two logical
zones:
Access the MiCollab MBG and add a new cluster
zone called "Edge". Rename the "Default"
zone as "LAN" zone, add the current node to it,
and set "Edge" as the backup zone. (You can
use other names if you wish.) Access the MBGs on the Edge, add
them to the "Edge" zone, and set the "LAN"
as the backup zone. Direct LAN-based
devices to the a "LAN" zone and Internet-based devices
to the "Edge" zone. |
Configuring
MiCollab Client
Deployment |
MiCollab |
Connect to the MBG(s):
Access MiCollab Client
Deployment and create a connection to an MBG on the network
edge. First enter configuration details and then generate
an authentication request. Access the MBG on the network
edge, open Web Services, approve the authentication request
and copy the verifier. Access MiCollab Client
Deployment and paste the verifier into the newly created
MBG
connection. The connection is validated with a token. If there are
any other MBGs
on the network edge, connect to them to MiCollab Client Deployment
as described above.
Create deployment profiles for the MBG(s):
Access MiCollab Client
Deployment and either modify the default profile (which
is currently associated with the local MBG)
or add a new profile. Configure the
profile, ensuring that the following settings are correct:
Use Teleworker - Select
to enable Teleworker clients to register via the MBG instead
of directly to the PBX. MBG
- Select the MBG
connection on the network edge that this profile will employ.
Config
download host - Specify where clients can download
the configuration. To have clients connect using DNS, select
MiCollab Server FQDN
or Custom. In most
cases, you will need to set this to Custom
and enter the FQDN of the MBG configured in external
DNS. If multiple MBGs
are providing SIP device resiliency, a single FQDN can be
used to resolve to them. For example, use mycompany.com to
resolve to mbg1.mycompany.com and mbg2.mycompany.com.. MBG
SIP host - Specify on which interface that Teleworker
clients must use to register via the MBG.
To have clients connect directly to the MBG, select MBG’s External Interface
and enter the address of the MBG's
public interface on the enterprise firewall. To have clients
connect using DNS, select MBG’s FQDN or
Custom DNS SRV and
enter the FQDN of the MBG configured in external DNS. If multiple
MBGs
are providing SIP device resiliency, a single FQDN can be
used to resolve to them. For example, use mycompany.com to
resolve to mbg1.mycompany.com and mbg2.mycompany.com.
NOTE: If DNS is used to resolve
a single FQDN to multiple hosts, you must enter this FQDN in the
Allowed URI names field
in the MBG configuration settings.
If there are
any other MBGs
on the network edge, create deployment profiles for them.
NOTE: Because the MiCollab server is in LAN
mode, there is no need to use its local MBG
in a deployment profile.
Assign deployment profiles to users:
Access MiCollab Client
Deployment and either modify an existing user or add
a new user. Select the deployment
profile that this user account will employ.
NOTE:
It is also possible to assign deployment profiles using templates
in the Users and Services application. For conditions and configuration
instructions, refer to the MiCollab
documentation. |
Add Web Server
Certificate |
MBGs and MiCollab |
You are required to purchase a Third-Party
SSL Certificate and install it on the MBG(s)
on the network edge and the MiCollab
on the LAN. See Certificate
Installation: MiCollab Server in LAN Mode. |
MiCollab
Server with MBG on the Network Edge (Server Gateway Mode)
Network Edge (Server-Gateway) mode can be used to deploy any of the
MiCollab applications.
In this configuration, MiCollab
must have direct Internet access, which is required by the MBG Teleworker and MiCollab Client applications.
Conditions
The MiCollab
server requires two Ethernet adaptors. One adapter is configured as
"Local" for connection to the LAN, and the other is configured
as "WAN" for connection to the Internet. The WAN network
adapter requires a publicly routable IP address that is accessible
to both the Internet and the LAN (in other words, the server should
not reside behind a NAT device).
Preferably, MiCollab
should be used in conjunction with the corporate firewall. The MiCollab system acts as a firewall/gateway
for MiCollab
applications while the corporate firewall controls data traffic for
the enterprise. If your voice/telephony network and your data network
are separate, connect the MiCollab's
local network adapter to the voice/telephony network in order to support
the MiCollab's
telephony applications.
Network Edge (Server-Gateway) mode involves a number of security
considerations:
Most application traffic is encrypted, because the system
supports Secure Real-time Transport Protocol (SRTP) for SIP traffic
on both the ICP side as well as the set side of the network edge.
However, calls between SIP endpoints and some older Mitel MiNET
devices may be unencrypted because the MiNET devices only support
RTP. This issue does not arise when newer Mitel MiNET devices
are in use.
When using Teleworker in conjunction with LAN-facing applications,
you must ensure that they review the configuration in relation
to your corporate security policy. You may choose to deploy Teleworker
on a separate server in a DMZ.
MiCollab with MBG on
Network Edge (Server Gateway) with Corporate Firewall
Key Settings
The following table lists the key settings required to successfully
program the systems (MiCollab,
MBGs, firewall)
in conjunction with MiCollab Client
Deployment. For a complete programming instructions, refer to the appropriate
product documentation.
Feature |
System |
Configuration |
Installing the
Systems |
MiCollab / MBG |
Install MiCollab
on the network edge (server-gateway):
Install and configure the MSL operating system software,
configuring the "Local" (internal) and "WAN"
(external) adapters. Program firewall rules to send deployment
tokens and configuration download URLs to the Mitel redirect
deployment servers (default port 443). Enter the ARID and install the application software. Configure the network profile:
Under Applications,
select MiVoice Border
Gateway. Select System Configuration
> Network Profiles. Select Server-gateway
on network edge. Click Apply. Configure the SIP options:
Under System Configuration,
select Settings. For SIP support,
the recommended setting is TLS.
To support SIP resiliency, select TCP or TLS. To support
iPhones you MUST set to TCP. Most Android devices require
TLS. Configure matching values in the MiCollab Mobile Client
deployment profiles (below). For Allowed URI
names, enter the addresses that MBG should accept
in SIP requests, in addition to its own. For example,
if DNS is being used to resolve the MiCollab
server on the LAN, enter its server name in FQDN format
(mycompany.com). Configure matching values in the MiCollab Mobile Client
deployment profile (below). Configure the LAN server web proxy:
Under Applications,
select Remote proxy services. Select Add new
LAN server proxy. Enter the WAN-side
FQDN of MiCollab Client Deployment. Select MiCollab
as the server type and Deployment
Unit as the user interface. Enable the new server and click Save. Enable MiCollab Client connector:
Under
Service configuration, select
Application integration. Under Mobile
Client, select Mobile
Client connector enabled and enter the Mobile Client
hostname or server IP address.
|
Configuring
the Firewall |
Firewall |
If
you are using MBG
Teleworker service in the DMZ, consult the MiCollab
Engineering Guidelines for a description of the port usage and
firewall settings. Since these settings are provided automatically
and cannot be changed, the information is provided for reference
only. |
Configuring
MiCollab Client
Deployment |
MiCollab |
Create a deployment profile for the
MBG:
Access MiCollab Client Deployment
and modify the default profile (which is currently associated
with the local MBG). Configure the profile, ensuring that the following settings
are correct:
Use
Teleworker - Select to enable Teleworker clients to
register via the MBG
instead of directly to the PBX. MBG
- Select the local MBG
connection. Config
download host - Specify where clients can download
the configuration. To have clients connect using DNS, select
MiCollab Server FQDN
or Custom. In most
cases, you will need to set this to Custom
and enter the FQDN of the MBG configured in external
DNS. If multiple MBGs
are providing SIP device resiliency, a single FQDN can be
used to resolve to them. For example, use mycompany.com to
resolve to mbg1.mycompany.com and mbg2.mycompany.com. MBG
SIP host - Specify on which interface that Teleworker
clients must use to register via the MBG.
To have clients connect using DNS, select MBG’s FQDN or
Custom DNS SRV and
enter the FQDN of the MBG configured in external DNS. SIP transport protocol -
Recommended setting is TLS.
To support SIP resiliency, select TLS or TCP. This setting
must match the SIP support
setting on the MBG.
Assign deployment profiles to users:
Access MiCollab Client Deployment
and either modify an existing user or add a new user. Select the deployment profile that this user account
will employ.
NOTE: It is also possible to
assign deployment profiles using templates in the Users and Services
application. For conditions and configuration instructions, refer
to the MiCollab
documentation. |
Add Web Server
Certificate |
MiCollab / MBG |
You are required to purchase a Third-Party
SSL Certificate and install it on the MiCollab
server. See Certificate
Installation: MiCollab Server in Network Edge Mode |