Define Deployment Configurations

MiCollab in LAN Mode Clustered with MBG(s) in the DMZ

This solution consists of MiCollab on the corporate LAN and one or more MBGs providing Teleworker and Web Proxy services in the DMZ. The Teleworker service is employed on both the MiCollab and MBG systems while the Web Proxy Service is provided only by the MBGs. The Teleworker service in MiCollab is only used to remotely manage the Teleworker phones that are configured on the MBGs.

To support this configuration, install the MiCollab server with the MBG application in the LAN and install one or more standalone MBG servers in the DMZ. Then create a cluster that ties the MBGs together.

Conditions

The MiCollab server on the LAN must be configured in "Server-only on LAN" mode and the MBG(s) in the DMZ must be configured in "Server-only on DMZ" mode. (Note that MBG clustering is only supported for MiCollab systems that are configured in "Server-only on LAN" mode.)
The MBGs in the DMZ must be routable to the MiCollab server on the LAN.
All MBGs must have the same software version. This ensures support for the full range of MBG features and services.
The MBG on MiCollab and the MBG(s) in the DMZ must be added to a cluster. Clustering provides the following benefits:
- Allows data (including Teleworker services) to be managed from the MiCollab application.
- Enables licence pooling. Note that, although licences are pooled, it is recommended that you purchase all Teleworker service licenses for the MBG(s) located in the DMZ in order to avoid licensing issues.
The MiCollab and MBG nodes must reside in separate logical zones. Use the default zone for the node located on the LAN (which you may rename) and create a new zone for the nodes located in the DMZ.

MiCollab in LAN Mode Clustered with MBGs in the DMZ

Key Settings

The following table lists the key settings required to successfully program the systems (MiCollab, MBGs, firewall) in conjunction MiCollab Client Deployment. For a complete programming instructions, refer to the appropriate product documentation.

Feature	System	Configuration
Installing the Systems	MiCollab	Install MiCollab on the LAN: Install and configure the MSL operating system software, configuring only the "Local" (internal) adapter. Enter the ARID and install the application software.
Installing the Systems	MBGs	Install MBG(s) in the DMZ: Install and configure the MSL operating system software, configuring only the "Local" (internal) adapter. Enter the ARID. Configure the network profile: Under Applications, select MiVoice Border Gateway. Select System Configuration > Network Profiles. Select Server-only on network DMZ. Click Apply. Configure the SIP options: Under System Configuration, select Settings. For SIP support the recommended setting is TLS. To support SIP resiliency, select TLS or TCP. Configure matching values in the MiCollab Mobile Client deployment profiles (below). For Allowed URI names, enter the addresses that MBG should accept in SIP requests, in addition to its own. For example, if DNS is being used to resolve the MiCollab server on the LAN, enter its server name in FQDN format (mycompany.com). Configure matching values in the MiCollab Mobile Client deployment profiles (below). Configure the LAN server web proxy: Under Applications, select Remote proxy services. Select Add new LAN server proxy. Enter the WAN-side FQDN of MiCollab Client Deployment. Select MiCollab as the server type and Deployment Unit as the user interface. Enable the new server and click Save. Note: To share MBG configuration data (but not IP addresses or network profiles) amongst the systems, create a cluster. See below for instructions.
Configuring the Firewall	Firewall	Program firewall rules to allow the Client Deployment Service – which resides on your MiCollab Server – to reach the Redirect Servers (mcdepl01.easydeploy.net and mcdepl02.easydeploy.net) on port 443/tcp. This is required to send data to the Redirect Servers which help the clients to find the respective MiCollab server and which will also send the deployment emails to the end user’s email address. If you are using MBG Teleworker service in the DMZ, consult the MiCollab Engineering Guidelines for a description of the port usage and firewall settings.
Clustering the MBGs	MiCollab and MBGs	Create a cluster: Access the MiCollab MBG and create a new cluster: Designate the MiCollab MBG as a master by clicking Create a cluster. Enter the IP address of the server you have selected to be the slave as the IP Address of peer node. Click Save. Access the slave MBG and add it to the cluster: Designate the MBG as a slave by clicking Join. Enter the IP address of the master server as the IP Address of peer node. Click Save. Synchronize the master/slave databases. Set the weight of both the master and slave to 100. If there are any other MBGs in the DMZ, add them as slaves and adjust their weight value to 100. Subdivide the cluster into two logical zones: Access the MiCollab MBG and add a new cluster zone called "DMZ". Rename the "Default" zone as "LAN" zone, add the current node to it, and set "DMZ" as the backup zone. (You can use other names if you wish.) Access the MBGs in the DMZ, add them to the "DMZ" zone, and set the "LAN" as the backup zone. Direct LAN-based devices to the a "LAN" zone and Internet-based devices to the "DMZ" zone.
Configuring MiCollab Client Deployment	MiCollab	Connect to the MBG(s): Access MiCollab Client Deployment and create a connection to an MBG in the DMZ. First enter configuration details and then generate an authentication request. Access the MBG in the DMZ, open Web Services, approve the authentication request and copy the verifier. Access MiCollab Client Deployment and paste the verifier into the newly created MBG connection. The connection is validated with a token. If there are any other MBGs in the DMZ, connect to them to the MiCollab Client Deployment as described above. Create deployment profiles for the MBG(s): Access the MiCollab Client Deployment and either modify the default profile (which is currently associated with the local MBG) or add a new profile. Configure the profile, ensuring that the following settings are correct: Use Teleworker - Select to enable Teleworker clients to register via the MBG instead of directly to the PBX. MBG - Select the MBG connection in the DMZ that this profile will employ. Config download host - Specify where clients can download the configuration. To have clients connect using DNS, select MiCollab Server FQDN or Custom. In most cases, you will need to set this to Custom and enter the FQDN of the MBG configured in external DNS. If multiple MBGs are providing SIP device resiliency, a single FQDN can be used to resolve to them. For example, use mycompany.com to resolve to mbg1.mycompany.com and mbg2.mycompany.com. MBG SIP host - Specify on which interface that Teleworker clients must use to register via the MBG.To have clients connect using DNS, select MBG’s FQDN or Custom DNS SRV and enter the FQDN of the MBG configured in external DNS. If multiple MBGs are providing SIP device resiliency, a single FQDN can be used to resolve to them. For example, use mycompany.com to resolve to mbg1.mycompany.com and mbg2.mycompany.com. Note: If DNS is used to resolve a single FQDN to multiple hosts, you must enter this FQDN in the Allowed URI names field in the MBG configuration settings. SIP transport protocol - Recommended setting is TLS. To support SIP resiliency, select TLS or TCP. This setting must match the SIP support setting on the MBG. If there are any other MBGs in the DMZ, create deployment profiles for them. Note: Because the MiCollab server is in LAN mode, there is no need to use its local MBG in a deployment profile. Assign deployment profiles to users: Access MiCollab Client Deployment and either modify an existing user or add a new user. Select the deployment profile that this user account will employ. Note: It is also possible to assign deployment profiles using templates in the Users and Services application. For conditions and configuration instructions, refer to the MiCollab documentation.
Add Web Server Certificate	MBGs and MiCollab	You are required to purchase a Third-Party SSL Certificate and install it on the MBG(s) in the DMZ and the MiCollab on the LAN. See MiCollab in LAN Mode with MBGs in DMZ.

MiCollab in LAN Mode Clustered with MBG(s) on the Network Edge

This solution consists of MiCollab on the corporate LAN and one or more MBGs providing Teleworker and Web Proxy services on the network edge. The Teleworker service is employed on both the MiCollab and MBG systems while the Web Proxy Service is provided only by the MBGs. The Teleworker service in MiCollab is only used to remotely manage the Teleworker phones that are configured on the MBGs.

To support this configuration, install the MiCollab server with the MBG application in the LAN and install one or more standalone MBG servers on the network edge. Then create a cluster that ties the MBGs together.

Conditions

The MiCollab server on the LAN must be configured in "Server-only on LAN" mode and the MBG(s) on the network edge must be configured in "Server-only on network edge" mode. (Note that MBG clustering is only supported for MiCollab systems that are configured in "Server-only on LAN" mode.)
The MBGs on the network edge must be routable to the MiCollab server on the LAN.
All MBGs must have the same software version. This ensures support for the full range of MBG features and services.
The MBG on MiCollab and the MBG(s) on the network edge must be added to a cluster. Clustering provides the following benefits:
- Allows data (including Teleworker services) to be managed from the MiCollab application.
- Enables licence pooling. Note that, although licences are pooled, it is recommended that you purchase all Teleworker service licenses for the MBG(s) located in the DMZ in order to avoid licensing issues.
The MiCollab and MBG nodes must reside in separate logical zones. Use the default zone for the node located on the LAN (which you may rename) and create a new zone for the nodes located on the network edge.

MiCollab in LAN Mode Clustered with MBG on Network Edge

Key Settings

The following table lists the key settings required to successfully program the systems (MiCollab, MBGs, firewall) in conjunction with MiCollab Client Deployment. For a complete programming instructions, refer to the appropriate product documentation.

Feature	System	Configuration
Installing the Systems	MiCollab	Install MiCollab on the network edge: Install and configure the MSL operating system software, configuring only the "Local" (internal) adapter. Enter the ARID and install the application software.
Installing the Systems	MBGs	Install MBG(s) on the network edge: Install and configure the MSL operating system software, configuring the "Local" (internal) and "WAN" (external) adapters. Enter the ARID. Configure the network profile: Under Applications, select MiVoice Border Gateway. Select System Configuration > Network Profiles. Select Server-gateway on network edge. Click Apply. Configure the SIP options: Under System Configuration, select Settings. For SIP support the recommended setting is TLS. To support SIP resiliency, select TLS or TCP. Configure matching values in the MiCollab Mobile Client deployment profiles (below). For Allowed URI names, enter the addresses that MBG should accept in SIP requests, in addition to its own. For example, if DNS is being used to resolve the MiCollab server on the LAN, enter its server name in FQDN format (mycompany.com). Configure matching values in the MiCollab Mobile Client deployment profiles (below). Configure the LAN server web proxy: Under Applications, select Remote proxy services. Select Add new LAN server proxy. Enter the WAN-side FQDN of the MiCollab Client Deployment. Select MiCollab as the server type and Deployment Unit as the user interface. Enable the new server and click Save. Enable MiCollab Client connector: Under Service configuration, select Application integration. Under Mobile Client, select Mobile Client connector enabled and enter the Mobile Client hostname or server IP address. Note: To share MBG configuration data (but not IP addresses or network profiles) within the systems, create a cluster. See below for instructions.
Configuring the Firewall	Firewall	If you are using MBG Teleworker service on the network edge, consult the MiCollab Engineering Guidelines for a description of the port usage and firewall settings.
Clustering the MBGs	MiCollab and MBGs	Create a cluster: Access the MiCollab MBG and create a new cluster: Designate the MiCollab MBG as a master by clicking Create a cluster. Enter the IP address of the server you have selected to be the slave as the IP Address of peer node. Click Save. Access the slave MBG and add it to the cluster: Designate the MBG as a slave by clicking Join. Enter the IP address of the master server as the IP Address of peer node. Click Save. Synchronize the master/slave databases. Set the weight of both the master and slave to 100. If there are any other MBGs on the network edge, add them as slaves and adjust their weight value to 100. Subdivide the cluster into two logical zones: Access the MiCollab MBG and add a new cluster zone called "Edge". Rename the "Default" zone as "LAN" zone, add the current node to it, and set "Edge" as the backup zone. (You can use other names if you wish.) Access the MBGs on the Edge, add them to the "Edge" zone, and set the "LAN" as the backup zone. Direct LAN-based devices to the a "LAN" zone and Internet-based devices to the "Edge" zone.
Configuring MiCollab Client Deployment	MiCollab	Connect to the MBG(s): Access MiCollab Client Deployment and create a connection to an MBG on the network edge. First enter configuration details and then generate an authentication request. Access the MBG on the network edge, open Web Services, approve the authentication request and copy the verifier. Access MiCollab Client Deployment and paste the verifier into the newly created MBG connection. The connection is validated with a token. If there are any other MBGs on the network edge, connect to them to MiCollab Client Deployment as described above. Create deployment profiles for the MBG(s): Access MiCollab Client Deployment and either modify the default profile (which is currently associated with the local MBG) or add a new profile. Configure the profile, ensuring that the following settings are correct: Use Teleworker - Select to enable Teleworker clients to register via the MBG instead of directly to the PBX. MBG - Select the MBG connection on the network edge that this profile will employ. Config download host - Specify where clients can download the configuration. To have clients connect using DNS, select MiCollab Server FQDN or Custom. In most cases, you will need to set this to Custom and enter the FQDN of the MBG configured in external DNS. If multiple MBGs are providing SIP device resiliency, a single FQDN can be used to resolve to them. For example, use mycompany.com to resolve to mbg1.mycompany.com and mbg2.mycompany.com.. MBG SIP host - Specify on which interface that Teleworker clients must use to register via the MBG. To have clients connect directly to the MBG, select MBG’s External Interface and enter the address of the MBG's public interface on the enterprise firewall. To have clients connect using DNS, select MBG’s FQDN or Custom DNS SRV and enter the FQDN of the MBG configured in external DNS. If multiple MBGs are providing SIP device resiliency, a single FQDN can be used to resolve to them. For example, use mycompany.com to resolve to mbg1.mycompany.com and mbg2.mycompany.com. Note: If DNS is used to resolve a single FQDN to multiple hosts, you must enter this FQDN in the Allowed URI names field in the MBG configuration settings. SIP transport protocol - Recommended setting is TLS. To support SIP resiliency, select TLS or TCP. This setting must match the SIP support setting on the MBG. If there are any other MBGs on the network edge, create deployment profiles for them. Note: Because the MiCollab server is in LAN mode, there is no need to use its local MBG in a deployment profile. Assign deployment profiles to users: Access MiCollab Client Deployment and either modify an existing user or add a new user. Select the deployment profile that this user account will employ. Note: It is also possible to assign deployment profiles using templates in the Users and Services application. For conditions and configuration instructions, refer to the MiCollab documentation.
Add Web Server Certificate	MBGs and MiCollab	You are required to purchase a Third-Party SSL Certificate and install it on the MBG(s) on the network edge and the MiCollab on the LAN. See MiCollab Server in LAN Mode.

MiCollab Server with MBG on the Network Edge (Server Gateway Mode)

Network Edge (Server-Gateway) mode can be used to deploy any of the MiCollab applications. In this configuration, MiCollab must have direct Internet access, which is required by the MBG Teleworker and MiCollab Client applications.

Conditions

The MiCollab server requires two Ethernet adaptors. One adapter is configured as "Local" for connection to the LAN, and the other is configured as "WAN" for connection to the Internet. The WAN network adapter requires a publicly routable IP address that is accessible to both the Internet and the LAN (in other words, the server should not reside behind a NAT device).
Preferably, MiCollab should be used in conjunction with the corporate firewall. The MiCollab system acts as a firewall/gateway for MiCollab applications while the corporate firewall controls data traffic for the enterprise. If your voice/telephony network and your data network are separate, connect the MiCollab's local network adapter to the voice/telephony network in order to support the MiCollab's telephony applications.
Network Edge (Server-Gateway) mode involves a number of security considerations:
- Most application traffic is encrypted, because the system supports Secure Real-time Transport Protocol (SRTP) for SIP traffic on both the ICP side as well as the set side of the network edge. However, calls between SIP endpoints and some older Mitel MiNET devices may be unencrypted because the MiNET devices only support RTP. This issue does not arise when newer Mitel MiNET devices are in use.
- When using Teleworker in conjunction with LAN-facing applications, you must ensure that they review the configuration in relation to your corporate security policy. You may choose to deploy Teleworker on a separate server in a DMZ.

MiCollab with MBG on Network Edge (Server Gateway) with Corporate Firewall

Key Settings

Feature	System	Configuration
Installing the Systems	MiCollab / MBG	Install MiCollab on the network edge (server-gateway): Install and configure the MSL operating system software, configuring the "Local" (internal) and "WAN" (external) adapters. Program firewall rules to send deployment tokens and configuration download URLs to the Mitel redirect deployment servers (default port 443). Enter the ARID and install the application software. Configure the network profile: Under Applications, select MiVoice Border Gateway. Select System Configuration > Network Profiles. Select Server-gateway on network edge. Click Apply. Configure the SIP options: Under System Configuration, select Settings. For SIP support, the recommended setting is TLS. To support SIP resiliency, select TCP or TLS. To support iPhones you MUST set to TCP. Most Android devices require TLS. Configure matching values in the MiCollab Mobile Client deployment profiles (below). For Allowed URI names, enter the addresses that MBG should accept in SIP requests, in addition to its own. For example, if DNS is being used to resolve the MiCollab server on the LAN, enter its server name in FQDN format (mycompany.com). Configure matching values in the MiCollab Mobile Client deployment profile (below). Configure the LAN server web proxy: Under Applications, select Remote proxy services. Select Add new LAN server proxy. Enter the WAN-side FQDN of MiCollab Client Deployment. Select MiCollab as the server type and Deployment Unit as the user interface. Enable the new server and click Save. Enable MiCollab Client connector: Under Service configuration, select Application integration. Under Mobile Client, select Mobile Client connector enabled and enter the Mobile Client hostname or server IP address.
Configuring the Firewall	Firewall	If you are using MBG Teleworker service in the DMZ, consult the MiCollab Engineering Guidelines for a description of the port usage and firewall settings. Since these settings are provided automatically and cannot be changed, the information is provided for reference only.
Configuring MiCollab Client Deployment	MiCollab	Create a deployment profile for the MBG: Access MiCollab Client Deployment and modify the default profile (which is currently associated with the local MBG). Configure the profile, ensuring that the following settings are correct: Use Teleworker - Select to enable Teleworker clients to register via the MBG instead of directly to the PBX. MBG - Select the local MBG connection. Config download host - Specify where clients can download the configuration. To have clients connect using DNS, select MiCollab Server FQDN or Custom. In most cases, you will need to set this to Custom and enter the FQDN of the MBG configured in external DNS. If multiple MBGs are providing SIP device resiliency, a single FQDN can be used to resolve to them. For example, use mycompany.com to resolve to mbg1.mycompany.com and mbg2.mycompany.com. MBG SIP host - Specify on which interface that Teleworker clients must use to register via the MBG. To have clients connect using DNS, select MBG’s FQDN or Custom DNS SRV and enter the FQDN of the MBG configured in external DNS. SIP transport protocol - Recommended setting is TLS. To support SIP resiliency, select TLS or TCP. This setting must match the SIP support setting on the MBG. Assign deployment profiles to users: Access MiCollab Client Deployment and either modify an existing user or add a new user. Select the deployment profile that this user account will employ. Note: It is also possible to assign deployment profiles using templates in the Users and Services application. For conditions and configuration instructions, refer to the MiCollab documentation.
Add Web Server Certificate	MiCollab / MBG	You are required to purchase a Third-Party SSL Certificate and install it on the MiCollab server. See MiCollab Server in Network Edge Mode .