What your home WiFi and Smartphone are telling the entire planet!

Geo-location Wifi databases?

How many of you are aware that there are maps, accessible to the public that show your street address and list the WiFi SSID you are broadcasting in your house, along with the BSSID and router type. These maps even include your cell phone “hot spot” id if you have that turned on.    Check Google and Wigle.net for examples.  They publish maps that show every WiFi WAP and Cell Phone tower across the glove.  You can even punch in your own BSSID (unique device ID like a Mac address) and see if you have been mapped yet.   Do you fully appreciate how much of your private information is being sucked up, stored, sold and monitored?  You can opt out of Goggles Wifi map by editing your SSID and adding “_nomap” to your broadcast name.  Now this might stop Google from publishing the info, but it does not stop them from collecting it and storing it on their servers.   Additionally, this will not stop other mapping efforts by others.

So What you don’t have my password.

Hacking your WiFi is  child’s play and a basic hacking skill known by anyone who takes an interest and studies a bit.  Hacking tool kits are available even for newbies!  Your home WiFi is broadcasting a lot of information about you that does not even require a password.  For example, without a password we can still see all the devices in your home that are connected to your Wireless Access Point (WAP).   This information will broadcast information like the MAC address ( a unique device ID) of all the devices connected to that WAP.   From the MAC address we can determine the manufacture of your device and we can see how many Samsung SmartTV’s, Ring and Arlo Camera’s, Windows or MAC computers and even what iPhone or Android Smartphones are wondering around your house.  We can see which devices are active and if we are serious stalkers we can quickly figure out who owns what device and when that device, say a smartphone, is in the house or not. (So even if you don’t post on Facebook the fact that you are taking a two week vacation, leaving your house empty, we could figure that out anyway).

There is no privacy, so get use to it.

If you think about it, most of America is walking around with a little radio transmitter in their pocket that is constantly broadcasting “here I am” to all the local cell towers.  That data is constantly being archived and sold on a subscription basis to anyone who can pay the price.   The next time you see that Google car driving down your street, understand it is taking more than pictures of your house, it is also mapping your WiFi SSID and adding that information to its database!  All the Meta data about your device and its location is archived forever and available on demand.  Here is a map that shows every cell phone in America along with a great article. 

Great overview of Cell Phone Tracking and mapping

 

Patriot Act Renewed by Congress

Despite the warnings of folks like Edward Snowden and Julian Assange,  while we were all preoccupied with the current DC side show, the Patriot Act was renewed maintaining the governments ability to secretly spy on you.  Remember if it is free, you are not a customer, you are the product!

WTF is Ngrok?

Ngrok better than sliced bread!

As a software engineer developing telecom based web applications, testing and validating software can be a major time sync.  How do you get your lab system on the Internet, accessible with a public IP, so you can test a Webhook or REST API for example?   What if you are working behind a router that has a dynamic IP address?   Reconfiguring your firewall for each test of the new code is a pain!  There has to be an easy way to enable testing without going through 20 acts of vaudeville to test your application code!
We recently discovered two tools that are now essential elements of our software engineering toolkit!   Ngrok is very creative service that solves many problems for testing network-based applications during the pre-deployment, development process.  Ngrok is a software service developed by Alan Shreve, clearly a genius,  who often goes by the name “Inconshreveable”!  In its simplest form, Ngrok is a solution that enables you to expose your lab web server which is normally installed behind a NAT or firewall, and connect with it over the Internet.   Ngrok makes it easy to set up a secure outbound SSL tunnel that can be reached by a hyperlink to a public IP.

Secure tunnels on Demand!

Ngrok is a powerful tool and Alan Shreve is an extraordinary personality!   He makes this available for free use!  No credit card required!   Just open an account here and give this a try!   Then download Ngrok to your local Windows, MAC O/S or Linux development platform, unzip it and run it with a very simple configuration command.   You might enter  “Ngrok http 80” into your terminal window to indicate that you have a web server listening on port 80 on your local machine.

Ngrok then displays a DNS link that you can point at to access and test your application.   Now you can demo without deploying, simplify mobile device testing, build webhook integrations or run personal cloud services from your own private network!   For a modest monthly fee, you can change the random number Ngrok generates for your unique link to a reserved domain name.  So https://92832de0.ngrok.io can become https://yourcompanyname.ngrok.io which will not change and is easy for you to deal with!  The free account generates a random number that will change each time you run Ngrok.   Using a reserved domain also makes webhooks a lot easier.  For example, when developing Twilio applications you would have to change your webhook every time you ran Ngrok.  The paid version enables a reserved domain name that you can now use to stabilize your Twilio webhook!

You can also build secure tunnels that are password protected and able to support multiple simultaneous connections.  Open http://localhost:404o on the platform running your Ngrok client and you can inspect and replay traffic:

We now regularly use Ngrok not only for development testing but also for remote support applications so we don’t have to worry about VPN credentials!    You can create TCP tunnels as easy as you set up HTTP tunnels!  This resource will save you more than enough time to pay the annual fee of $60 for a basic account (1 online process, 3 reserved domain names and eight tunnels per process).     Alan is online from time to time and otherwise provides a link to ask questions!   (Learn about Alan’s other projects here)!  No serious developer, network engineer or remote support technician can afford to be without this power utility! – DrVoIP
(As a product of the 60’s you might note that Grok was first used in “stranger in a strange land”, a SiFi novel.  Profound effect on most of the 60’s generation).

CUBE SIP Header Matching – Extracting DNIS from a Toll Free Number!

The Problem – Call Forwarding DNIS to Toll Free Numbers

Recently we were presented with a new challenge while deploying a Call Center based on the CISCO UCCX Version 11.5 feature set. Generally, we employ DNIS as a strategy for defining the CSQ  service parameters.   The more specific you can make the inbound number, the less you will need to “prompt and collect” digits from your caller.   A call to a specific DNIS number can separate the English callers from the other language options, or route “customer service” differently than routing “technical support”.   DNIS is always a preferred routing strategy.    Using DNIS we can design a single call routing script that can  pull in the CSQ name; offer up the proper audio menu’s; provide unique queue handling options and customize the caller experience all based on the dialed number.

In this centralized scheduling application for a large national medical practice, patients would call a local number in their community.   This number was then forwarded by the carrier to a toll free number that rang into the centralized CISCO cluster and UCCX call center.   The issue was setting up the dial peers to address the number the caller dialed, not the toll free number.   These numbers terminated on a SIP trunk that was serviced by a CISCO CUBE and the number presented was the 10 digits of the toll free number.   The DNIS number, or the number that the caller originally dialed may or may not be buried in the TO field of the incoming SIP headers.

Solution – Step 1 Debug Captures of inbound SIP messages

We need to setup “debug ccsip messages” and “debug voice ccapi inout” and make some test calls.   We need to understand how the carrier is handling the forwarded number.    In the log output below we can see the INVITE is the 877 toll free number.   The number that the caller dialed is the 9323646969 number and we can see that it is in the TO filed of the sip message headers.   We will need to write a dial-peer,voice class uri,  translation rule and profile that extracts the TO field and routes on that number rather than the original INVITE.   It is the “voice class uri” that is most magical in this solution.   (Note that we got luck here and the carrier was handling the call forwarded number in a manner that was appropriate to our goals.   This however is not always the case)!

 

Solution Step 2 “Voice Class URI”

In this example, the caller is dialing 93236453XX which is being call forwarded to the  toll free 877 number and shows up in the sip headers in the TO field.   The solution here is to create a “voice class uri”  rule.  In the snippet below we can see “voice class uri 102 sip” with a “user-id of 9323645323” as an example.   We are going to ultimately want to translate this to a four digit extension number 5323 and this is done with the traditional translation rules.  In this example “voice translation rule 102” does this conversion.  Note however that the translation rule refers to a match on the 877 toll free number, not the  9323645323 number.  This is where the magic of  “voice class uri”, the ability to do dial-peer matching based on the uri.

The Voice Class uri is structured such that it has a unique TAG and then a matching expression or host IP address.   The the snippet below we can see two attemtps to setup up a uri filter based on the last digits in the TO field of the SIP header.  Tag 102 looks to match 5323 and tag 103 looks to match 5324:

Solution Step 3 Dial Peer Matching

The call flow is dictated by dial-peer matching.   From the following snippet:

dial-peer voice 103 voip
translation-profile incoming 5324
session protocol sipv2
incoming uri to 103
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay rtp-nte
no vad

!

dial-peer voice 102 voip
description Incoming – FAX DID
translation-profile incoming 5323
session protocol sipv2
incoming uri to 102
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay rtp-nte
no vad

We can see that the voice class reference is applied to the dial-peer much the way a voice translation-profile is applied with the expression “incoming uri to 102” which sets up a filter to match for the number  9323645323.  Note that the dial peer matches the voice class but it is the translation-profile incoming 5223 that changes the ten digit number of the URI to the desired four digit extension.  In fact if you study the voice-translation rule 102 rule 1, references the toll free number!

These tools, the voice-translation rule and the voice-class uri work together to enable us to route and match dial-peers on information in the uri and not necessarily the original INVITE sip: number! Way powerful!

 

 

What Carrier can provide Fiber to my branch office?

What Carrier do I use for this location?

If are responsible for planning out a WAN connectivity solution for your VoIP deployment, you need to know what carrier services your target circuit location. This can lead to the most frustrating experiences an engineer can have! You actually have to rely on someone else to provide information so you can finish your work! Even a simple point to point VPN tunnel requires you to figure out what carrier options are available at your target location. How do you do that? Start calling a list of carriers and asking the first line call center sales folks if they can provide an internet circuit to your branch office in Syracuse, New York? You do a google search and you end up with a list of possible candidates and then you start your outbound calling! Maybe you have a friend who is a sales rep for a circuit aggregator, so you try that option.

The secret Carrier database!

What if you could go to a website, you don’t even need to talk with a sales person, you just plug in an address and Viol! A list of all the Carriers that can service that location magically appears! X marks the spot of every Fiber drop that carrier has in the specified distance from your target address. Not just the carrier your aggregator wants to show you, but all the carriers that can service that target location. You even get a Google map street photo of the location! What if you could just click on that magic X and get a quote! Now that is freaking awesome!

We have been working on a very large WAN deployment to a ShoreTel system that has over 500 branch offices! Now try and knit together that circuit map without a database resource that you can directly tap. We discovered a website that makes the process as simple as entering a location address. Blow out your candle Pilgrim you search has ended, just click here  enter a Street location and you you will get a list of carrier solutions.

buildinglit.com

The good folks at BuildingIT have made finding WAN solutions as simple as locating an Uber Driver!    You don’t have to talk to a sales person, but if you do, they have some of the smartest circuit folks in the industry.  Can’t find fiber for  your Laramie WO location, ask sales to quote a solution through the website and they will come back with any number of alternative solutions, priced and ready for the next phase of your deployment, installation.   They even offer  bundled project management so you don’t have to worry the deploy.  One throat to choke, one website to research and one solution that makes a lot of sense to us!

 

Cloud based Next Gen Firewalls?

Firewall or Security Appliance?

Along with the general tend for business to move to a subscription based, recurring revenue model, the ubiquitous firewall has also moved to the cloud!   In the case of the firewall, however, there is measurable and dynamic benefit to be realized by coupling your firewall to a cloud based subscription.   The “wild west” that characterizes the internet in the 21st century demands a dynamic, self healing, unified treat management strategy!    It is no longer acceptable to use simple statefull packet inspection based firewalls that limit activity based on network layer source and destination IP address matching.  Firewalls must now become “security appliance” solutions!   Content Filtering Intrusion detection and prevention and a growing shared database of malware protection with cross referenced “reputation” based real time analysis is now the minimum daily adult requirement for network Internet work security.

Most of the popular firewalls in the commercial market place now couple some form of a subscription service to the base cost of the actual hardware.  Generally these subscriptions are spam and email filtering solutions at the low end, but include very advanced content filtering and malware protection at the high end.    Effective content filtering and malware protection requires access to a ever growing database where global information about daily treat and reputation analysis can be analyzed and shared among subscribers.    Identity based networking is also an essential component in managing network resource access.  Group policies that limit the facilities that the “guest” wireless network can access and the bandwidth that it can use, from the facilities and bandwidth that the corporate user can access begin to define the minimum specification for network computing.

Meet My Meraki!

We are particularly fond of the Meraki solution as a good fit alongside of the more sophisticated CISCO Next Generation and “SourceFire” solutions.  Both technologies are recent CISCO acquisitions and significantly expand the company’s well established range of threat management, Identity and VPN solutions.   The Meraki products are not only subscription based,  but are truly “cloud” resident.   This makes it very attractive for IT teams or Managed Service Providers to remotely install, configure and monitor geographically distributed firewalls and VPN devices.    When coupled with the subscriptions for ongoing software updates, the system provides unparalleled cost/benefit performance in the following key areas:

  • Identity Based Access and User Group Policy Control – Local or Active Directory definition of users and guest
  • Intrusion Prevention – Active before, during and after monitoring of known treats
  • VPN Automation – Mesh or Hub and Spoke configurations to integrate remote offices and work groups
  • Content Filtering – Limit internet access by specif URL or Group like “peer to peer”,  “file sharing” or “Social Media”.
  • Anti Malware and Anti Phishing – Active scanning of all HTTP traffic
  • High Availability and Fail over – Device and connection security through multiple uplinks
  • Application Visibility and Control – Know exactly who is using what and how much!
  • Centralized Management  – Log into the device through your cloud based “dashboard

Content Filtering and Central Management

Content Filtering is based on subject matter or specific site URL and is intuitive to configure as show below.     The group polices enable you to assign content filtering based on Active Directory identity and group authentication.  Guest log in pages enable visitors network access.   All of this functionality is dynamically made current through subscriptions and is centrally managed through a “dashboard” that is defined in the “cloud” and accessible by authorized personnel from anywhere on the Internet!

 

merakicontentmanager

Register for a webinar and qualify for a free switch, firewall or WAP!

Use an Ingate SIParator and you are “virtually there”!

We have written on the subject of SBC quite extensively in the past and have also covered the easy installation of the Ingate product (see DrVoIP here).   Readers must find this interesting because the hit counter for our Ingate videos continues to grow, indicating engineers are eager to learn more about this product.   We generally regard ourselves as CISCO brats, but when it comes to Session Border Controllers, we remain deeply impressed with both the Ingate product and, most importantly, the Ingate support team!  Pre-sales support is typically as good as it gets when developing a relationship with a vendor.  Post sales support, however, is where the true value system of a company is tested and Ingate passes with high marks.

Ingate SIParator as a virtualized appliance

Ingate, began shipping product as early as 2001 and has its roots in firewall security products.  Ingate has now made its very popular SIParator Session Border controller available as a virtual software appliance.  The SIParator E-SBC, scalable from 5 -20K sessions can be obtained as either a hardware appliance or as a software package.  There are over 10K SIParators installed and working worldwide, making Ingate the “go to” knowledge base for documented SIP deployment experiences that is without equal on a global basis!   Those of you working with ShoreTel have already discovered how powerful a vmware ESXi deployment can be.   New options for fail safe, high availability and increased reliability magically appear when you virtualize your deployment!   Ingate is no different and the availability of the Ingrate SIParator as a virtualized appliance adds a significant level of both reliability and flexibility to your ShoreTel deployment.

The most widely asked question in the DrVoIP technical support forum:  “Is there a need for a Session Border Controller?”   Why can’t we just use our firewall is a common theme.  Though it is possible to use a firewall to do a SIP trunk implementation, it is not our best practice recommendation to use a firewall in that way.  Even firewalls with AGL SIP functionality fall short of the wide rage of features needed for true SIP arbitration.   We are firm believers that firewalls already have enough work to do and are being attacked even more ferociously every day by a wider group of hackers and evil doers than ever before.   If you are committed to using a “firewall” to do SIP deployments, then we urge you to consider at least using an Ingate SIParator Firewall as a best of breed solution!

A dedicated Session Boarder Controller

Session Border Controllers have a lot of work to do!  The concept of normalization alone could fill a text book.  The fact is,  not all SIP implementations are equal.It is often necessary to swap SIP message headers to achieve the desired results!   Try getting your firewall, unless it is a SIParator, to do a SIP message header translation and you will quickly understand why a dedicated Session Boarder Controller makes sense!

IngateFeatures

The software SIParator is easy to obtain, easy to install, easy to configure, and easy  to license.  Ingate has adopted a pay as you go philosophy, and though the software product scales from 5-2000 channels, you only pay for what you use!  In fact, Ingate is so confident in the adoption rate of its product over competitors,  they offer a 30 day free trial.  Just click here to take advantage of this outstanding offer.

The video is Part one of a two part video on the product!   Part one shows how to obtain, download, and install the virtual SIParator software package.  Part two goes through the configuration of the SIParator on a ShoreTel system for use in SIP trunking deployments.  This material was previously covered in our YouTube video on Ingate and that material is still relevant!

Kudos for Ingate

Lastly, we want to commend Ingate not for having a great product,  but for the quality of the support they offer the entire industry by an ongoing commitment toward the education of the market place on SIP and, now WebRTC technology.   We are not talking about thinly masqueraded advertising, but serious SIP education programs for serious technology students, and a demonstrated sincere desire to advance the state of the art!  They offer an endless variety of webinars,  seminars, ebooks and even work in partnership with the SIP school to further develop and educate industry stake holders.    Excellent work  Ingate and well done! – DrVoIP

[youtube]d89gEZhRMT8[/youtube]

 

Network Security begins with an “Acceptable Use” Policy!

Most folks seem to understand what a firewall is and why it is so very important. They intuitively understand they need something between the “trusted” internal computer network, and the wild west we call the Internet! The installation of a firewall is generally something all business do, from the wireless network at the local coffee shop, to the medium size law firm and the giant multinational distributed enterprise. The barbarians are at the door, but with a firewall we all feel protected! The largest percentage of cyber security risks, however, do not come through the front door and your firewall will never see them enter. The largest risk to the security of your network comes from the employees and guests allowed, either connected by wire or wireless, to attach to your corporate network.

As a CISCO Certified Security Professional, DrVoIP does a great deal of work in the area of computer network security. When called on to do a “Security audit”, “voice readiness” or “network assessment”, the first question we ask executive management is where is your AUP? After all, we can tell you what protocols are running around on your network, and even which user is consuming the most bandwidth. We cannot, however, tell you if they are allowed to use that bandwidth! The creation of an “acceptable use” policy (i.e., AUP) is an essential first step in network security. The AUP communicates to all network users what is supported and what applications are allowed on the network. It describes what is acceptable regarding personal email, blogging, file sharing, web hosting, instant messaging, music and video streaming. It defines what activity is strictly prohibited on the network and clearly outlines what constitutes “excessive use”. The computer network is a valuable corporate asset and as such, it needs to be valued, protected, and secured.

Does your company have a network access and authentication policy? What is the “password” policy? Do you even 0need a password to use the company network? Can anyone just come in and plug whatever phone, pad or computer device they happen to have into the company network? What is the data storage and retention policy? Do you allow VPN tunnels that extend your company network to a home office or coffee shop? Do you allow your users to connect third party provided equipment to your network? Is it acceptable that Bob just added a hub to his office network connection so he can plug in his own printer? How do we feel if Bob plugs in his own wireless access point? Do we have a “guest” network and do we let those folks know what is acceptable on your network?

What are the legal ramifications and liabilities you are exposed to if you are providing a computer network as part of a lease agreement? Are you liable for damages if your computer network is unavailable or “down for any reason? If Home Land Security shows up because your company’s public IP address was traced as originating a terrorist treat, do you have the user agreements in place to mitigate the costs you are about to incur defending your good name and reputation?

Computer network security is more than a firewall. A computer with an Ebola virus, Adware or nefarious RAT (remote access terminal) will infect all computers on your network, threaten your corporate data and render your firewall as useless as a screen door on a submarine. If your company has taken the prudent step of providing a Human Resource or employee manual that spells out the company’s position on work force violence, sexual harassment, vacation day accrual and drugs in the workplace, why don’t you have a manual that defines the acceptable use of your most vital corporate assess, the computer network?

Contact DrVoIP@DrVoIP.com and ask us to send you a sample AUP!   We can assist with the creation of an acceptable use policy that makes sense for your company and your employees while protecting your valuable communication and collaboration asset, the company Intranet!  Then and only then can we do an effective “network assessment”. – DrVoIP

Find the password from behind the ********** and other security vulnerabilities!

If you are paying even the slightest attention to current technology trends, you will notice that many of your desktop applications are taking on the appearance of a browser!  The entire Microsoft Office suite, for example, has been optimized for the “cloud”.  Free versions available for iPhone.   Mobile devices in particular are depending more on “server” side applications with the “client” reduced to a thin client browser type interface.   The good news is that less computing power is needed at the desktop making the possibility of re purposing old computer as thin clients a reality.  No need to run out and get the latest hardware and desktop operating systems, if you are moving to the equivalent of Microsoft Office 365,  Google Docs or any of the increasingly popular cloud based solutions.

Along with the dependency on browser based applications is the alarming rate of security vulnerabilities that are exploit by the savvy against the less sophisticated user.   As the browser becomes more widely used as the primary application interface, more security violations are  experienced.  Why?  The best way to understand this phenomena is to look at a very simple example of a security vulnerability observable on most desktops, the cached Password.   When you bring up your browser to access your favorite cloud application, your user name and password are often presented automatically.  The Password field is generally filled with a string of ************ to block out your password from view.  Once you realize how easy it is to recover that Password and to display it in clear text, you will intuitively learn how dangerous cloud based security vulnerabilities can quickly become if not judiciously policed by an educated user population!

 

Can I text your Enterprise Contact Center?

Phone only ‘call centers’ have been rapidly replaced with ‘contact centers’ that can also handle email and chat communications.  Customers want more options for interacting with companies they buy products and services from.  Chat requires the customer to be at a computer and though email may be sent from a mobile phone, generally the sender is at a desktop.    In a wireless world in which every man, woman and child seems to wonder around with a ‘text’  or sms enabled device on their person, does it not make sense that they would want to text your call center?

Most call centers seem to be comfortable adding more and more incoming telephone lines, but never seem to add more agents?  We now queue up more clients to the same number of agents and expect that our customer satisfaction scores will increase with each new telephone line we add.   Chat and email increase the options that an agent can use to communicate with a customer, but only text offers location independent immediacy and the highest level of accuracy in CRM integrations.

A text will be read, on the average, within 10 seconds of its arrival.  It has a significantly higher read rate than email.  It is considered spam free, as you must opt in from you own mobile phone to receive future text messages.  As most folks under 30 do not even have a land line, using the CID of a SMS text will yield a much higher accuracy rate when doing screen pops from CRM integrations.    Self Service options for SMS are enormous and scheduling an agent call back could not be any easier!

What would you rather do: call into a contact center, listen to the obligatory menu of options, self navigate to the customer service group and then hear the first queue message: “the next available agent will be with you momentarily”; or send a SMS text message directly to the contact center group, by passing the automated attendant  and if you do not receive an immediate call back, receiving a confirmation text that an agent will call you at your mobile number in four minutes?

We have created a website to enable you to immediately setup a text based marketing campaign! You can create an account at our TEXT PORTAL  and select a phone number for your campaign and be in the digital marketing world in minutes.  We give you free SMS credits when you activate your account!  Interested in extending this capability to your Contact Center?  We can implement text functionality to your ShoreTel Contact Center or CISCO UCCX in a matter of hours!

Contact DrVoIP@DrVoIP.com or send the word CALLME to 603-426-3253 for sample application!  If you would like to test T2E (Text to Email) text your email address to the same number and we will set you up. – DrVoIP

ShoreTel VPN or MPLS? What works and saves money?

An IPsec Virtual Private Network or VPN, is sometimes used as a backup route for a Wide Area Network failure.  VPN’s are typically deployed as a “tunnel” through the Internet and as such are “point to point” solutions by definition.  Unfortunately that will not get the job done for a VoIP deployment!  If you have ever deployed ShoreTel over a VPN in a multi site network that has more than two sites,  you will note that it has problems.  The first problem you will note  is that the Switch Connectivity display within the ShoreTel ShorewareDirector management portal looks like a Christmas tree.  Normally in a finally tuned network you should see all green in the connectivity display.  In an IPsec VPN network, using a “hub and spoke” implementation or “point to point” links you will see lots of Red and Yellow boxes and switch connectivity will be inconclusive at best.

Next, you will undoubtedly experience instances of “one way audio”. Again, this is because an IPsec VPN is a “point to point” solution, when you really require a fully messed solution that can handle more than unicast packet transfers. Additionally, as IPsec applies encryption based on a “shared key” so the two end points must possess the key! IPsec does not support Multicast or Broadcast and this make it less then desirable for a VoIP deployment. Unicast is when you address the source and destination IP address to a specific target device.  Broadcast is used when you must sent to all network devices because you do not know the destination address. Multicast is used when you send to a group of devices that monitor a target IP address for network management and service subscriptions. Using an IPsec point to point VPN might get your phones to register and enable you to make phone calls, but you will be plagued by network connectivity issues that will make your VoIP deployment problematic. Your technical support center or help desk phones will be constantly ringing with unhappy users and incomplete phone calls.

You don’t have to be a Network guru to understand a “hub and spoke” topology. All communications between devices at different sites (i.e. spoke end points) must traverse the hub site if they are to communicate between each other. This might work for unicast communication, but it is inefficient and invites disaster. For two sites (i.e. spokes) to communicate the have to go through the hub, unpacking and repacking, encrypting and decrypting, sharing keys before resending packets to the ultimate destination. Assuming you are using this configuration only as a backup during a real WAN disaster, this might be acceptable temporarily. Using IPsec VPN “hub and spoke” topology in a ShoreTel VoIP deployment, it is not very useful. We have two issues: first, IPsec does not support anything other than Unicast communication; and secondly “hub and spoke” is unworkable because “spoke to spoke” communication is required.

How do we solve this? Fortunately there are two strategies that fit the bill perfectly. First, GRE or ‘generic routing encapsulation’ should be used to support broadcast and multicast communications, a core component of any network deployment, especially those of a VoIP variety. Secondly, DMVPN or “dynamic multipoint virtual private network’ technology should be implemented to assure “spoke to spoke” communications. DMVPN, which employs mGRE (muti-point GRE) and Dynamic Next Hop Router Resolution protocol (DNHRP) technologies make it possible to deploy a ShoreTel VoIP solution over the public internet and achieve MPLS like connectivity at a fraction of the cost.  Given sufficient bandwidth, this should be more than adequate.

What about encryption you might ask?   ShoreTel, CISCO and most VoIP solutions provide encryption at the network and transport level anyway, so this component may not be needed.  If you are also moving data over this mesh, then you can use DMVPN in conjunction with IPsec to assure confidentiality, integrity and authentication (i.e. CIA).  The issue is that a fully meshed communications network is absolutely obtainable with VPN technology, but you have to implement the correct protocol to achieve the desired results!

WAN configuration is an exact science as is ShoreTel and CISCO VoIP technology. If you are fortunate to have that level of expertise in one individual or one vendor, then you are moving in the right direction with your VoIP deployment. If you need help in the WAN aspect of VoIP, then you need to call on DrVoIP. We can make the network.