MBG Configuration

From a new installation of Release 11.0, access the MiVoice Border Gateway User Interface from MSL server-manager and perform the following steps:

Go to System Configuration > Network Profile.
1. Select Profile and Apply.
Go to System Configuration > Settings.
1. Enable SIP support for TCP/TLS for Public and configure the following:
  - If TLS is used for both internal and external connections, uncheck the UDP and TCP.
    (Or)
  - If TLS is not used for the internal connection, check UDP or TCP for Private.
2. Change Codec support to Unrestricted.
3. Change Set-side RTP security to Require (to enforce SRTP between the phone and MBG).
4. If TLS is used for both internal and external connections, navigate to the Service parameters and uncheck ICP failure detection.
  Note:
  Optionally, you can disable support for all protocols under Minet Support.
Go to Service Configuration > ICPs.
1. Add your MX-ONE system as type MiVoice MX-ONE with SIP capabilities as 'UDP, TCP', or 'UDP, TCP, TLS' for secure communication.
2. Configure MX-ONE support.
3. Check Link to the ICP and Enable.
4. SIP XML:
  1. Configure the XML listen port as 22223 and check TLS.
  2. Configure the XML destination port:
    - If the TLS is not used for the internal connection, set 22222 and uncheck TLS.
      (Or)
    - If the TLS is used for the internal connection, set 22223 and check TLS.
5. Native VDP logon:
  1. Configure the configuration server listen port as 22226 and check TLS.
  2. Configure the configuration server destination port:
    - If the TLS is not used for the internal connection, set 22225 and uncheck TLS.
      (Or)
    - If the TLS is used for the internal connection, set 22226 and check TLS.
6. Configure the configuration server address (the address to MX-ONE).
7. Click Save.
Do not start MBG yet.
Setup MBG with mutual TLS for SIP using configuration script.
Connect to the system via ssh (ex: using putty) and login as root.

Run the configuration script specifying the MBG Public IP address (i.e the address the Teleworker 69xx/68xx phones will connect to) and the MBG local or LAN IP address. Optionally, you can use the script to modify an existing mitel.cfg or use MBG as a TFTP server for the phones. To view all options available, run the configuration script without arguments.

/usr/sbin/configure_68xx_mbg_support.sh

Example #1: MBG Public IP is 1.1.1.1 and MBG local IP is 192.168.100.10

[root@mysystem ~]# /usr/sbin/configure_68xx_mbg_support.sh --mbg_wan_ip ip_address--mbg_lan_ip ip_address --generate_certificate
[root@mysystem ~]# /usr/sbin/configure_68xx_mbg_support.sh --mbg_wan_ip 1.1.1.1 --mbg_lan_ip 192.168.100.10 --generate_certificate
mbg_wan_ip=1.1.1.1
mbg_lan_ip=192.168.100.10
configure_tftp=false
generate_certificate=true
force=false
creating /etc/tug/aastra_tftp, output files will be placed there.
configuring mbg certificate with ip address: 1.1.1.1
Generating a 2048 bit RSA private key
..................................................................................+++
.......................................................+++
writing new private key to '/etc/tug/aastra_tftp/mbg_mxone_key.pem'
-----
writing RSA key
details:
InsertCertificateIntoChain
Subject: /CN=1.1.1.1
Issuer: /CN=1.1.1.1
ReorderCertificateChain:: client certificate found:
Subject: /CN=1.1.1.1
Issuer : /CN=1.1.1.1
ReorderCertificateChain:: root CA certificate found:
Subject: /CN=1.1.1.1
Issuer : /CN=1.1.1.1
VerifyCertificateChain:: m_vrCerts.size()=1 rc=1
certificate and key files for set are /etc/tug/aastra_tftp/mbg_mxone_cert.pem and /etc/tug/aastra_tftp/mbg_mxone_key.pem
done.

Example #2: MBG Public IP is 1.1.1.1, MBG local IP is 192.168.100.10, modify an existing mitel.cfg (transferred to /root

[root@mysystem ~]# /usr/sbin/configure_68xx_mbg_support.sh --mbg_wan_ip 1.1.1.1 --mbg_lan_ip 192.168.100.10 --generate_certificate --modify_cfg_template mitel.cfg --ntp_server pool.ntp.org --time_zone_name SE-Stockholm
mbg_wan_ip=1.1.1.1
mbg_lan_ip=192.168.100.10
configure_tftp=true
generate_certificate=true
force=false
will configure tftp directory /etc/tug/aastra_tftp to serve up config files creating /etc/tug/aastra_tftp, output files will be placed there.
configuring mbg certificate with ip address: 1.1.1.1
Generating a 2048 bit RSA private key
..................................................................+++
..........+++
writing new private key to '/etc/tug/aastra_tftp/mbg_mxone_key.pem'
-----
writing RSA key
details:
InsertCertificateIntoChain
Subject: /CN=1.1.1.1
Issuer : /CN=1.1.1.1
ReorderCertificateChain:: client certificate found:
Subject: /CN=1.1.1.1
Issuer : /CN=1.1.1.1
ReorderCertificateChain:: root CA certificate found:
Subject: /CN=1.1.1.1
Issuer : /CN=1.1.1.1
VerifyCertificateChain:: m_vrCerts.size()=1 rc=1
certificate and key files for set are /etc/tug/aastra_tftp/mbg_mxone_cert.pem and /root/mitel_tftp/mbg_mxone_key.pem
creating mitel.cfg from template, configured with MBG's CN ip
sip proxy ip
sip proxy port
sip registrar ip
sip registrar port
sip outbound proxy
sip outbound proxy port
tftp server
sips trusted certificates
sips root and intermediate certificates
sips local certificate
sips private key
https validate certificates
https user certificates
time server disabled
time server
time zone name
sip transport protocol
found URL's pointing to 22222, switching to https and port 22223 
appending fixed URLs to config file
done.

Return to the MiVoice Border Gateway User Interface and click on Dashboard to Start MBG
Confirm that Teleworker 69xx/68xx phones have access to the public IP of MBG using the Teleworker Network Analyzer tool.
Download the tool from Administration – File Transfer and install it on a Windows machine that has network connectivity to the public IP of your system.
Launch the application and run a connect test against the public IP.
SIP TLS, Aastra MXL MX-ONE, Voice Traffic (begin) and (end) should return OK.

If any of the above return CLOSED or TIMED OUT, contact your firewall administrator.

↑