DrVoIP, Author at DrVoIP - AWS Cloud Solutions

Network Security begins with an “Acceptable Use” Policy!

Posted on May 2, 2015 by DrVoIP

Most folks seem to understand what a firewall is and why it is so very important. They intuitively understand they need something between the “trusted” internal computer network, and the wild west we call the Internet! The installation of a firewall is generally something all business do, from the wireless network at the local coffee shop, to the medium size law firm and the giant multinational distributed enterprise. The barbarians are at the door, but with a firewall we all feel protected! The largest percentage of cyber security risks, however, do not come through the front door and your firewall will never see them enter. The largest risk to the security of your network comes from the employees and guests allowed, either connected by wire or wireless, to attach to your corporate network.

As a CISCO Certified Security Professional, DrVoIP does a great deal of work in the area of computer network security. When called on to do a “Security audit”, “voice readiness” or “network assessment”, the first question we ask executive management is where is your AUP? After all, we can tell you what protocols are running around on your network, and even which user is consuming the most bandwidth. We cannot, however, tell you if they are allowed to use that bandwidth! The creation of an “acceptable use” policy (i.e., AUP) is an essential first step in network security. The AUP communicates to all network users what is supported and what applications are allowed on the network. It describes what is acceptable regarding personal email, blogging, file sharing, web hosting, instant messaging, music and video streaming. It defines what activity is strictly prohibited on the network and clearly outlines what constitutes “excessive use”. The computer network is a valuable corporate asset and as such, it needs to be valued, protected, and secured.

Does your company have a network access and authentication policy? What is the “password” policy? Do you even 0need a password to use the company network? Can anyone just come in and plug whatever phone, pad or computer device they happen to have into the company network? What is the data storage and retention policy? Do you allow VPN tunnels that extend your company network to a home office or coffee shop? Do you allow your users to connect third party provided equipment to your network? Is it acceptable that Bob just added a hub to his office network connection so he can plug in his own printer? How do we feel if Bob plugs in his own wireless access point? Do we have a “guest” network and do we let those folks know what is acceptable on your network?

What are the legal ramifications and liabilities you are exposed to if you are providing a computer network as part of a lease agreement? Are you liable for damages if your computer network is unavailable or “down for any reason? If Home Land Security shows up because your company’s public IP address was traced as originating a terrorist treat, do you have the user agreements in place to mitigate the costs you are about to incur defending your good name and reputation?

Computer network security is more than a firewall. A computer with an Ebola virus, Adware or nefarious RAT (remote access terminal) will infect all computers on your network, threaten your corporate data and render your firewall as useless as a screen door on a submarine. If your company has taken the prudent step of providing a Human Resource or employee manual that spells out the company’s position on work force violence, sexual harassment, vacation day accrual and drugs in the workplace, why don’t you have a manual that defines the acceptable use of your most vital corporate assess, the computer network?

Contact DrVoIP@DrVoIP.com and ask us to send you a sample AUP! We can assist with the creation of an acceptable use policy that makes sense for your company and your employees while protecting your valuable communication and collaboration asset, the company Intranet! Then and only then can we do an effective “network assessment”. – DrVoIP

V14 Trouble Shooting ShoreTel SIP

Posted on April 30, 2015 by DrVoIP

ShoreTel SIP is just not that hard to configure! When things go right, and it all works, it is relatively painless and very easy. When things don’t work however, you will need to sort out the problem and figure out how to make it work. The good news is that SIP is a clear text, english like “requests” and “response” message exchange that, once understood can be relatively easy to work with. Using packet capture tools like Wireshark can be a real assist. ShoreTel has built “remote packet capture” into the V14 diagnostic portal and makes debugging sip issues even more easy to digest.

The message exchange for SIP “extensions” is not much different than that for SIP “trunks”. So to learn SIP why not study a successful SIP connection first, before diving into a debug session. What we have tried to do in this tech tip, is to illustrate the process of a SIP extension registering with a ShoreTel proxy server. We picked a configuration that is comparatively complex, but not unlike one that you might find in the real world. SIP extensions can unit remote office workers into a seamless call handling workgroup. As such your remote worker will traverse a couple of firewalls and routers on its way to the SIP proxy.

In this configuration we register a SIP soft phone, remotely from the ShoreTel HQ site, over a site to site VPN tunnel. The VPN tunnel is between a CISCO ASA and a SonicWall TZ250. We note that 90% of the SIP issues we see having nothing to do with the configuration of the ShoreTel equipment and everything to do with the network devices, routers, switches and firewalls that are part of the SIP solution. Small business solutions, for example, tend to bring the SIP trunks into the phone system over the same connection they bring in their internet connection. This means the SIP trunk is passing through the firewall, another most likely candidate for inducing a SIP failure.

This tech tip walks you through a successful SIP registration of a remote soft phone. In our next tech tip, we will walk you through configuring a SIP trunk through a SonicWall and then look at fixing some broken SIP connections!

A ShoreTel Workgroup is a Contact Center for the rest of us!

Posted on April 8, 2015 by DrVoIP

We have been working around the call center space for a long time. Actually, it is our first love! Does everyone need a full blown Contact Center? If you have a real boiler room operation, with shifts of agents that are heavily manged, counted, recorded, measured complete with staff forecasting and multiple channels of client communication, yes you need an Enterprise Contact Center. As Arlo Guthrie might say “what about the rest of us”? The small to medium size business that is really not cracking the whip on customer service agents, but making efficient use of “knowledge workers” who often participate within a group setting. How do we organize customer calls to this group?

A techncial support group or an order entry group might be a good example. By grouping these folks into a “workgroup” we can funnel calls to them in a call center like fashion without the call center overhead of application servers and third party middle ware. ShoreTel has an embedded call center like feature aptly named “WorkGroups” that is an ideal solution for this environment. You can organize a group, route calls to group members and even queue the call until a group member becomes available. While callers are in queue, you can organize the messages they hear, the time they wait between care messages and you can also provide “bail out” options at each step of the way.

The workgroup can be reached as a menu selection off of an automated attendant or have a phone number assigned that enables outsiders to call directly to the workgroup! The workgroup can have an operating schedule applied that routes callers to alternative answer points if the group should be reached after hours. Group members can Log in and Log out of the workgroup using their ShoreTel Communicator and still maintain their personal extension number and mailbox. While logged into the workgroup, they can share the group voice mail box and see callers waiting in queue! Supervisors can monitor the callers in queue and manipulate resources to meet call demand. Reporting statistics on the group are maintained and easily obtained by the workgroup supervisor or administrator with reporting permissions.

We are now even making it possible for Callers to TEXT into your workgroup! Group members can even email back a TEXT message!

The ShoreTel Workgroup strategy is a powerful call center like functionality and very cost effective. The marginal cost of adding agent and supervisors license when you plan to implement a ShoreTel iPBX when compared to adding a complete Enterprise Contact Center is amazingly low! We would be happy to explain the difference between a Workgroup and the ECC, so just contact us for details!

TEXT the keyword “workgroup” along with your name or email to 702-956-8700 and we will respond immediately!

VPN’s and VoIP – Getting Connected!

Posted on April 7, 2015 by DrVoIP

We see a lot of VoIP deployments that come to us for trouble shooting. A common problem statement is that our HQ site can call both Chicago and Dallas, but Dallas and Chicago can’t call each other. Savvy network administrator will have figured out that there is a routing issue, but how so? Clearly HQ knows how to reach each remote site and the remote sites know how to reach HQ, so where is the break down! At about this time, we learn they have VPN’s that provide tunnel connections to each location and we go clear!

The standard “tunnel” solutions include IP Security (IPSec), GRE, Easy VPN and the new “tunneless” Group Encrypted Transport VPN (GET-VPN) VPN’s are the connectivity options we currently have available. Most folks make the mistake of picking IPSec for connectivity and being an inherently point-to-point technology, they end up with the problem statement summarized above. Even a “hub and spoke” solution is not ideal unless we make it possible for “spoke to spoke” connectivity. Ideally, we need to configure our VPN so Dallas can communicate with Chicago, without passing through HQ!

IPsec is really an encryption and authentication technology that enable secure communications through a public internet. It is generally used in a multiple vendor deployments. IPsec does not support any protocol other than IP, so it can not be used with the routing protocols that might otherwise be used to solve our issue. For this reason, many deployments will use GRE over IPsec. GRE to address the routing protocol issues and the IPsec to provide the security of authentication and encryption. We are still however, in a point to point mode, or in heavy manual administration mode to configure a simple mesh!

VPN’s and VoIP – Getting economical “full mesh” Connectivity without MPLS!

Posted on April 7, 2015 by DrVoIP

The standard “tunnel” solutions include IP Security (IPSec), GRE, Easy VPN and the new “tunneless” Group Encrypted Transport VPN or GET-VPN. Most folks make the mistake of picking IPSec for connectivity and being an inherently point-to-point technology, they end up with the problem statement summarized above. Even a “hub and spoke” solution is not ideal unless we make it possible for “spoke to spoke” connectivity. Ideally, we need to configure our VPN so Dallas can communicate with Chicago, without passing through HQ!

The smart money is on “next hop resolution protocol or NHRP” used in strategies like FlexVPN, GETVPN or DMVPN. These solutions provide a full mesh option while providing for encryption and data integrity. In the problem statement above, had we installed FlexVPN, the Chicago and Dallas sites could communicate directly without having to route through HQ or hub. We would have “spoke to spoke” to communications! As broadband becomes more widely accepted and bandwidth becomes less of an issue, we should see more VPN technology deployed in place or in concert with private network technologies like MPLS (GetVPN over MPLS is really kool).

Give us a call and we can noodle out what “full mesh” technology makes the most sense for your organization, both technically and economically! We are here to help make the network!

ShoreTel SIP Trunk Configuration – Version 14 update Part 1

Posted on March 27, 2015 by DrVoIP

Our older posts on this subject are getting a bit dated and an update is long over due. ShoreTel has been using a version of SIP since day one. We say a version of SIP because at the formation of ShoreTel, SIP standards had not yet been solidified. ShoreTel SIP, therefor, was not interoperable nor did it need to be. Our fist experience with ShoreTel was Version 3.1 back in 2001! At that time, ShoreTel did not yet support IP phones, but ShoreTel SIP was and continues to be the call setup protocol used between ShoreGear switches.

Though ShoreTel introduced IP Phones in Version 4 with the private labeling of Polycom handsets, ShoreTel SIP for desktop devices did not become available until Version 8. This early version of the SIP protocol required you to configure the first version of the IP8000 as a SIP trunk not a SIP Extension. It was a step in the right direction, but it was not until V13 that we got a version that was more compatible with other SIP devices and not until Version 14 before we reached PRI parity on SIP trunks with the introduction of media termination points.

SIP in general is relatively simple to configure and mirrors most of the steps you take to implement a normal TDM Trunk Group. The devil, however is in the details! IP profiles, NAT, firewall, Digest Authentication and Carrier particulars need to be mapped out. Generally, a Session Border Controller is a best practice for a SIP deployment. Where does your network end and the carrier network begin? Well, that is the single most important benefit of a SBC! Additionally, the SBC can be the point at which we “normalize” SIP messages and translate between any dialectic differences between SIP implementations.

Generally, in ShoreTel you will setup your underlying resources by allocating ShoreGear switch ports, media termination points, profiles, timers and DTMF handling configurations. The Creation of a SIP trunk group is very similar to the configuration of a PRI trunk group and the same options will need to be specified as to the use of this group. Then SIP trunks are added to the SIP trunk group, the actual circuits on which phone calls will take place. If the trunk group is to support tandem trunking and is connecting to another system as a tie line, the off premise extensions and digit translation options will also need to be configured.

The first video will walk through the configuration of a TIE trunk between two ShoreTel systems. One system will use the TIE trunk to place all outbound PSTN phone calls through the other ShoreTel system. Both systems will use the Trunk Group for extension to extension calling, with one system having extensions in the range of 200-299 and the other having extension in the 300-399 range. We will walk through the basic configuration and then also take a look at wireshark captures to illustrate the SIP call setup message exchange. In the second part of this update, we will the route calls out a SIP trunk to a SIP carrier for PSTN calls, using several different SBC’s.

Contact DrVoIP@DrVoIP.com to have us setup this up for you! We offer flat rate configurations!

ShoreTel fail over options using Vmware – Part 3 the “HA” and “FT” Option!

Posted on March 25, 2015 by DrVoIP

A quick review of vocabulary before we go into this subject any further. First when we refer to vSphere, we are talking about the entire VMware ecosystem and all of its components. It is just a short hand for the entire system solution. ESXi is a VMware hypervisor. It is the “host” hardware on which the “guest” virtual machines run on. vCenter is an administrative portal that enables you to manage multiple Datacenters. A Datacenter is a collection of ESXi hosts. I strongly urge all serious engineers to watch Kieth Barker’s presentation in CBTnuggets on this subject, particularly his presentation on HA and FT in the certification training for vSphere VCP5-DCV. Kieth is a truly excellent instructor and he gets paid to make videos!

A more advanced ( read cost more money) strategy for managing server failures in vSphere is either High Availability or Fault Tolerance. Assuming we have three ESXi hosts, lets take a quick look at how each of these strategies would work. Using vCenter we would enable High Availability or HQ at the cluster level. The first ESXi host to boot up, would be nominated Master. Assume the ShoreTel HQ is a virtual server running on this ESXi(1). All the ESXi hosts in the cluster, would exchange heart beats over the management LAN that they all share. Should the heart beat from ESXi(1) not be detected, it would be considered down and the virtual machine would be restarted on the secondary server in that cluster.

An VMware server running VMware Tools, can also generate heart beats between itself and the ESXi host that it is running on. Should the host not receive a hear beat from the guest VMware server, it would consider it down and cause a new instanc of that VM to run. Generally, it is a good practice to use a backup hearbeat to verify the failure of a machine. For example, if the host machine does not generate a heart beat detected by the other hosts in the cluster a back up check could be made to see if the iSCSI storage is being accessed by the missing VMware server. If that heart beat is detected, then the guest is not considered down, but is consider “isolated” and the new instance will not be started.

The issue with High Availability is how long does it take to bring up the replacement guest machine on a new ESXi host? What is the boot time? In Part 2 of this discussion we talked about a configuration that could survive this issue if it was the DVM that went down as the HQ would take over during the down time. If this was implemented in vSphere with HA, the entire process would be transparent to users.

Fault Tolerance is the solution when there can be no down time whatever should the HQ server fail. FT is activated through vCenter as easily as HA, but generates a “mirror” image host that is always running. For example, a ShoreTel HQ server running as primary on ESXi(1) might have a “mirror” host running as a secondary on ESXi(2). Should the primary ShoreTel HQ host fail, within microseconds the ShoreTel HQ mirror or secondary will take over. Not only will it take over as primary, but a new secondary mirror could be started on ESXi(3)!

Clearly FT is the way to go if you feel you can not survive a ShoreTel HQ loss under any condition. Understand that it is resource intensive, as you are minimally running twice the horsepower! Also to keep the “mirror” images alike, you will need a high bandwidth connection between ESXi hosts to provide for “FT Logging” which is all the activity to copy real time between hosts.

As previously mentioned, a copy of VMware vSphere Essentials Kit which includes ESXi for a total of 6 processors or 3 severs with 2 processors each and a copy of vCenter along with updates for 1 year is about $560. vSphere Essentials Enterprise Plus which adds in the functionality of vSphere Hypervisor, vMotion, Cross Switch vMotion, High Availability, Fault Tolerance, Data Protection, vShield Endpoint, vSphere Replication is $4229. Support on all products can be purchase as needed or for term.

Out next project is to figure out how to do this all on Amazon Web Services and at what price!

The video shows key elements of this discussion!

ShoreTel fail over options using VMware – Part 2 the “Poor Man” Option!

Posted on March 24, 2015 by DrVoIP

A simple yet very effective step you can take to assure a high availability is all but free! It occurs to us that it is no longer acceptable to install ShoreTel on anything other than a VMware ESXi server! Lets face it, you have to purchase a hardware package to host your server regardless of which way you go. You have to purchase a copy of Microsoft Server, regardless of which way you go. So how do we make this more cost effective? From our perspective upgrade the hardware platform you have to purchase anyway, to be a quad core with about 16 -32 GB of memory. ESXi is still available for free, so download and install it on that platform then install the Microsoft Server on top of it!

Now you have your ShoreTel HQ server at the HQ site. No harm no foul and you are positioned to do some really kool things. First, clone the Microsoft Server and bring it up as a DVM. The key here is to install the DVM at the same level as the HQ server, not below it as a child server. Put you HQ users on this server and have this server manage all your HQ site ShoreGear switches. The reason for this is, it is the cheapest most cost effect fail over you can provide. ShoreTel servers fail up, OR across but not down. This means if the DVM fails, the HQ server will proxy for it for those users! Forget all that Double Take Double Talk! Just do it.

While you are at it, bring up a virtual ShoreGear User switch as a “spare” switch and also install the vConference switch. The spare switch enables you to spin up an alternative switch for any site, if a switch at a site goes down. No cost to you unless you don’t fail bak in under 45 days! Why would you not do that? Why would you work with a partner who did not just do this as a “best practice”. Come on guys, this is like deployment 101, just do it. The freaking conference server is “free” as an IM solution and the licenses for the conference bridge and desktop sharing users is cost effective when compared to anything in the market including GoTomeeting and Webex! Again, what is there to think about?

So now you have your VMware platform offering a HQ server, a fail over DVM server, User Switch and an IM server. Consider that for the cost of a Microsoft Server (you saved that by cloning one, remember) you can purchase (hoepfully from us) a copy of vmware Essentials. This package adds vCenter to the mix and now you are kicking it. vCenter sets up a centralized administration interface for your ESXi servers. You can now setup heartbeats between the ESXi host and the VM machines as long as they are running VMware tools. You can also run heartbeats between vCenter and the ESXi hosts so that on failure of a heartbeat, vCenter launches another instance of whatever serer went down on another cluster host!

Are you freaking kidding me?

The video shows you how to install the DVM at the same level as the HQ server and how to clone a virtual machine. Subsequent videos will explore the high availability and Fault Tolerant options available with vCenter and clustered ESXi hosts.

WebRTC “peer to peer” Call Center Demo!

Posted on March 17, 2015 by DrVoIP

What is a “peer to peer” call center? The concept is a fully functioning call center that exists only in the internet browser of the workgroup agents and supervisor participating. In fact, no telephone lines are needed, beyond the published customer service number. There is no large internal LAN network. No complex phone configuration, not eve n a handset. All communication with Agents is done through a Chrome or FireFox browser. Your computer needs to have a microphone and be on the internet. The microphone can be built in or be a USB based headset plugged into your computer. (Hey, here is an idea: Music on Hold is so last century, now we can have “video on hold” show them a product demo)!
We created a demo at http://DrQOS.com (Dr Quality of Service, DrVoIP’s alter ego) that you can log into as username:agent1 with a password:test1234. The demo system has a fictitious company automated attendant and when you call the main number 619-717-2143 you will hear the FAKE menu and you should immediately press 1#. You will then be routed through to the logged in Agent. The agent is made ready by just logging into the portal. Click on answer and you will be connected and speaking through the webRTC protocol resident in your browser out to the caller (again remember only Chrome or Firefox browsers are supported).

NOTE – Please do not log in as the Agent and then call yourself through the Agent console, the demo is designed so you can see both sides. You can be the agent or the caller, not both! If there is no Agent logged in, the caller will be asked to leave a Voice Message. In most Browsers the first time you click answer you will be prompted by the browser to grant access to your mic which you should allow!

2017 UPDATE – We have continue to develop the product and have taken down the above site. It has now been replaced with a production ready solution built out on Twilio and AWS. The product enables WebRTC as well as a variety of SMS services including text to email. Please text the word DEMO to 424-348-4000 and we will set you up with a demo account. Here is an overview of the product!

A ShoreTel Communicator for the Mac?

Posted on March 16, 2015 by DrVoIP

We recently had an opportunity to work with a ShoreTel client that was exclusively using Apple Mac’s throughout their enterprise. We asked how they made that decision given the clear cost advantage WinTel PC hardware had over your basic Macbook. The answer was simple and clearly economic. They had used Windows in the past, but found that they had to many problems with virus, email, drivers and the annual cost of license renewals! Yes the Mac’s cost more but they just seem to work and they don’t have to worry license issues. Interesting.

This was a ShoreTel deployment so that made for some interesting trade offs when it got down to the desktop software. The ShoreTel Communicator is optimized for the Windows based machines. There are several license types for Personal, Professional, Workgroup Agent, Workgroup Supervisor and Operator Communicators. With the Mac, there is only one Communicator and it has the functionality of the ShoreTel Web Communicator which is basically a Personal Communicator.

It does however get the job done as far as call handling modes, inbound primary phone options, multiple call management and visual voice mail. You can setup your call handling modes including your personal operator and find me functions for each mode. You can configure and select 5 alternative phones and setup your incoming call routing to include simultaneous ringing of other phones. The visual voice mail tab works just like you would expect and you can also select a history and call details tab.

The noticeable difference is the absence of IM options. ShoreTel had been suggesting the use of iChat for that function as that client was supported on the ShoreTel SA-100/400 conference servers. In the Communicator there is always more than one way to do something: point and click, right click, use some chord sequence on the keyboard that includes the control key. Right clicking on a Mac Communicator however is not going to work! There is however, drop down menu options that appear as required to assist your call management. All in all, the Mac client is an excellent solution if you have a Mac and a ShoreTel. You can download the MAC dmg installation file from the ShoreTel HQ server and you are good to go!