V14 Configuring ShoreTel SIP Trunks P2 -SonicWall or InGate SBC?

A question that keeps coming up in the support ticket system is the subject of InGate and Session Border Controllers.  Folks want to know if you need a SBC to configure a SIP trunk.  Why not just use a Firewall?  Can you configure ShoreTel SIP trunks to work without a SBC?  The simple answer is “yes” but the smart answer is “no”.  In our humble opinion, just because you can do it, does not mean you should do it!   Session Border controllers, like those offered by Intuit for ShoreTel,  provide functionality not normally found on a firewall.   “Normalization” for example, the ability to mediate ShoreTel SIP and your carrier’s  SIP, as they most likely speak a different “dialect” of the common language SIP, is not a standard firewall feature.

Application Level Gateways, sometimes take actions that are injurious to SIP messages.  Remember, SIP was not designed for NAT based networks.   Something has to keep track of which internal private trusted network users made a SIP request for service to another IP address across an untrusted boundary!  Which RTP (voice, video or “media”) ports need to be opened to support this request?  SBC can do this more effectively than firewalls. At the end of the day, you end up turning off the SIP ALG functions in your firewall to make it work! (In SonicWall turn off  “consistent NAT” and “SIP transformations”.)

We have never recommended bringing your SIP services into your VoIP deployment over the same circuit as your Internet circuit, but so be it.   At least, let’s use a separate IP address and make use of the DMZ port on your firewall, if you are not going to use a separate circuit!  Let us try to keep the SIP traffic from undergoing the same port specific inspections you put the Internet traffic on!  Again our best practice recommendation for ShoreTel, if you are serious about SIP trunks as the main Communications link for your company, is get an Intuit SBC and bring your service in on a separate circuit or IP!

SonicWall has for sometime, had a number of “service objects” to support the ShoreTel MGCP phones.  In fact, before SIP was enabled on ShoreTel, all media flowed on port 5004 which was really great for enabling transport level QoS!   Though there is a steady trend to use TLS and get both SIP messages and RTP over a single port, most SIP carriers expect to send messages on UDP 5060.   So if you are using a SonicWall, you will need to create new Service Objects, and put them in new Service Groups to get SIP to work.   You will need to configure Network Objects for your ShoreTel SIP proxy and configure access rules.  We recommend you also create a network object for your ITSP rather than enabling  an open 5060 for all the script kiddies running SipVicious!

We will do this again on a  CISCO ASA 5505 just for giggles as we get a lot of requests for that as well!  At the end of the day, however, for a serious business application of SIP trunks on ShoreTel, get a separate circuit and invest in an Ingate SBC!  Heck, you can even get a virtualized version of InGate!

A ShoreTel Workgroup is a Contact Center for the rest of us!

We have been working around the call center space for a long time.  Actually, it is our first love! Does everyone need a full blown Contact Center?   If you have a real boiler room operation, with shifts of agents that are heavily manged, counted, recorded, measured complete with staff forecasting and multiple channels of client communication, yes you need an Enterprise Contact Center.   As Arlo Guthrie might say “what about the rest of us”?   The small to medium size business that is really not cracking the whip on customer service agents, but making efficient use of “knowledge workers” who often participate within a group setting.  How do we organize customer calls to this group?

A techncial support group or an order entry group might be a good example.   By grouping these folks into a “workgroup” we can funnel calls to them in a call center like fashion without the call center overhead of application servers and third party middle ware.   ShoreTel has an embedded call center like feature aptly named “WorkGroups” that is an ideal solution for this environment.   You can organize a group, route calls to group members and even queue the call until a group member becomes available.   While callers are in queue, you can organize the messages they hear, the time they wait between care messages and you can also provide “bail out” options at each step of the way.

The workgroup can be reached as a menu selection off of an automated attendant or have a phone number assigned that enables outsiders to call directly to the workgroup!   The workgroup can have an operating schedule applied that routes callers to alternative answer points if the group should be reached after hours.  Group members can Log in and Log out of the workgroup using their ShoreTel Communicator and still maintain their personal extension number and mailbox.  While logged into the workgroup, they can share the group voice mail box and see callers waiting in queue!  Supervisors can monitor the callers in queue and manipulate resources to meet call demand.   Reporting statistics on the group are maintained and easily obtained by the workgroup supervisor or administrator with reporting permissions.

We are now even making it possible for Callers to TEXT into your workgroup!  Group members can even email back a TEXT message!

The ShoreTel Workgroup strategy is a powerful call center like functionality and very cost effective.    The marginal cost of adding agent and supervisors license when you plan to implement a ShoreTel iPBX when compared to adding a complete Enterprise Contact Center is amazingly low!   We would be happy to explain the difference between a Workgroup and the ECC, so just contact us for details!

TEXT the keyword “workgroup” along with your name or email to 702-956-8700 and we will respond immediately!

 

 

VPN’s and VoIP – Getting Connected!

We see a lot of VoIP deployments that come to us for trouble shooting.  A common problem statement is that our HQ site can call both Chicago and Dallas, but Dallas and Chicago can’t call each other.  Savvy network administrator will have figured out that there is a routing issue, but how so?  Clearly HQ knows how to reach each remote site and the remote sites know how to reach HQ, so where is the break down!   At about this time, we learn they have VPN’s that provide tunnel connections to each location and we go clear!

The standard “tunnel” solutions include IP Security (IPSec), GRE, Easy VPN and the new “tunneless” Group Encrypted Transport VPN  (GET-VPN) VPN’s are the connectivity options we currently have available.  Most folks make the mistake of picking IPSec for connectivity and being an inherently point-to-point technology, they end up with the problem statement summarized above.   Even a “hub and spoke” solution is not ideal unless we make it possible for “spoke to spoke” connectivity.   Ideally, we need to configure our VPN so Dallas can communicate with Chicago, without passing through HQ!

IPsec is really an encryption and authentication technology that enable secure communications through a public internet.  It is generally used in a multiple vendor deployments.   IPsec does not support any protocol other than IP, so it can not be used with the routing protocols that might otherwise be used to solve our issue.   For this reason, many deployments will use GRE over IPsec.   GRE to address the routing protocol issues and the  IPsec to provide the security of authentication and encryption.  We are still however, in a point to point mode, or in heavy manual administration mode to configure a simple mesh!

The smart money is on “next hop resolution protocol or NHRP” used in strategies like FlexVPN, GETVPN or DMVPN.  These solutions provide a full mesh option while providing for encryption and data integrity.  In the problem statement above, had we installed GET-VPN, a tunneless solution, the Chicago and Dallas sites could communicate directly without having to route through HQ at all

VPN’s and VoIP – Getting economical “full mesh” Connectivity without MPLS!

We see a lot of VoIP deployments that come to us for trouble shooting.  A common problem statement is that our HQ site can call both Chicago and Dallas, but Dallas and Chicago can’t call each other.  Savvy network administrator will have figured out that there is a routing issue, but how so?  Clearly HQ knows how to reach each remote site and the remote sites know how to reach HQ, so where is the break down!   At about this time, we learn they have VPN’s that provide tunnel connections to each location and we go clear!

The standard “tunnel” solutions include IP Security (IPSec), GRE, Easy VPN and the new “tunneless” Group Encrypted Transport VPN or  GET-VPN. Most folks make the mistake of picking IPSec for connectivity and being an inherently point-to-point technology, they end up with the problem statement summarized above.   Even a “hub and spoke” solution is not ideal unless we make it possible for “spoke to spoke” connectivity.   Ideally, we need to configure our VPN so Dallas can communicate with Chicago, without passing through HQ!

IPsec is really an encryption and authentication technology that enable secure communications through a public internet.  It is generally used in a multiple vendor deployments.   IPsec does not support any protocol other than IP,  so it can not be used with the routing protocols that might otherwise be used to solve our issue.   For this reason, many deployments will use GRE over IPsec.   GRE to address the routing protocol issues and the  IPsec to provide the security of authentication and encryption.  We are still however, in a point to point mode, or in heavy manual administration mode to configure a simple mesh!

The smart money is on “next hop resolution protocol or NHRP” used in strategies like FlexVPN, GETVPN or DMVPN.  These solutions provide a full mesh option while providing for encryption and data integrity.   In the problem statement above, had we installed FlexVPN, the Chicago and Dallas sites could communicate directly without having to route through HQ or hub.   We would have “spoke to spoke”  to communications!  As broadband becomes more widely accepted and bandwidth becomes less of an issue, we should see more VPN technology deployed in place or in concert with private network technologies like MPLS (GetVPN over MPLS is really kool).

Give us a call and we can noodle out what “full mesh” technology makes the most sense for your organization, both technically and economically!  We are here to help make the network!

 

ShoreTel SIP Trunk Configuration – Version 14 update Part 1

Our older posts on this subject are getting a bit dated and an update is long over due.   ShoreTel has been using a version of SIP since day one.  We say a version of SIP because at the formation of ShoreTel, SIP standards had not yet been solidified.   ShoreTel SIP, therefor, was not interoperable nor did it need to be.   Our fist experience with ShoreTel was Version 3.1  back in 2001!    At that time, ShoreTel did not yet support IP phones, but ShoreTel SIP was and continues to be the call setup protocol used between ShoreGear switches.

Though ShoreTel introduced IP Phones in Version 4 with the private labeling of Polycom handsets, ShoreTel SIP for desktop devices did not become available until Version 8.   This early version of the SIP protocol required you to configure the first version of the IP8000 as a SIP trunk not a SIP Extension.  It was a step in the right direction, but it was not until V13 that we got a version that was more compatible with other SIP devices and not until Version 14 before we reached PRI parity on SIP trunks with the introduction of media termination points.

SIP in general is relatively simple to configure and mirrors most of the steps you take to implement a normal TDM Trunk Group.   The devil, however is in the details!  IP profiles, NAT, firewall, Digest Authentication and Carrier particulars need to be mapped out.   Generally, a Session Border Controller is a best practice for a SIP deployment.  Where does your network end and the carrier network begin?  Well, that is the single most important benefit of a SBC!  Additionally, the SBC can be the point at which we “normalize” SIP messages and translate between any dialectic differences between SIP implementations.

Generally, in ShoreTel you will setup your underlying resources by allocating ShoreGear switch ports, media  termination points, profiles, timers and DTMF handling configurations.  The  Creation of a SIP trunk group is very similar to the configuration of a PRI trunk group and the same options will need to be specified as to the use of this group.   Then SIP trunks are added to the SIP trunk group, the actual circuits on which phone calls will take place.   If the trunk group is to support tandem trunking and is connecting to another system as a tie line, the off premise extensions and digit translation options will also need to be configured.

The first video will walk through the configuration of a TIE trunk between two ShoreTel systems.  One system will use the TIE trunk to place all outbound PSTN phone calls through the other ShoreTel system.  Both systems will use the Trunk Group for extension to extension calling, with one system having extensions in the range of 200-299 and the other having extension in the 300-399 range.   We will walk through the basic configuration and then also take a look at wireshark captures to illustrate the SIP call setup message exchange.    In the second part of this update, we will the route calls out a SIP trunk to a SIP carrier for PSTN calls, using several different SBC’s.

Contact DrVoIP@DrVoIP.com to have us setup this up for you!  We offer flat rate configurations!

 

ShoreTel fail over options using Vmware – Part 3 the “HA” and “FT” Option!

A quick review of vocabulary before we go into this subject any further.    First when we refer to vSphere, we are talking about the entire VMware ecosystem and all of its components.   It is just a short hand for the entire system solution.    ESXi is a VMware hypervisor.  It is the “host” hardware on which the “guest” virtual machines run on.  vCenter is an administrative portal that enables you to manage multiple Datacenters.   A Datacenter is a collection of ESXi hosts.  I strongly urge all serious engineers to watch Kieth Barker’s presentation in CBTnuggets on this subject, particularly his presentation on HA and FT in the certification training for vSphere VCP5-DCV.  Kieth is a truly excellent instructor and he gets paid to make videos!

A more advanced ( read cost more money) strategy for managing server failures in vSphere is either High Availability or Fault Tolerance.    Assuming we have three ESXi hosts, lets take a quick look at how each of these strategies would work.   Using vCenter we would enable High Availability or HQ at the cluster level.  The first ESXi host to boot up, would be nominated Master. Assume the ShoreTel HQ is a virtual server running on this ESXi(1).  All the ESXi hosts in the cluster, would exchange heart beats over the management LAN that they all share.   Should the heart beat from ESXi(1) not be detected, it would be considered down and the virtual machine would be restarted on the secondary server in that cluster.

An VMware server running VMware Tools, can also generate heart beats between itself and the ESXi host that it is running on.   Should the host not receive a hear beat from the guest VMware server, it would consider it down and cause a new instanc of that VM to run.   Generally, it is a good practice to use a backup hearbeat to verify the failure of a machine.  For example, if the host machine does not generate a heart beat detected by the other hosts in the cluster a back up check could be made to see if the iSCSI storage is being accessed by the missing VMware server.  If that heart beat is detected, then the guest is not considered down, but is consider “isolated” and the new instance will not be started.

The issue with High Availability is how long does it take to bring up the replacement guest machine on a new ESXi host?   What is the boot time?   In Part 2 of this discussion we talked about a configuration that could survive this issue if it was the DVM that went down as the HQ would take over during the down time.  If this was implemented in vSphere with HA, the entire process would be transparent to users.

Fault Tolerance is the solution when there can be no down time whatever  should the HQ server fail.    FT is activated through vCenter as easily as HA, but generates a “mirror” image host that is always running.    For example, a ShoreTel HQ server running as primary on ESXi(1) might have a “mirror” host running as a secondary on ESXi(2).   Should the primary ShoreTel HQ host fail, within microseconds the ShoreTel HQ mirror or secondary will take over.  Not only will it take over as primary, but a new secondary mirror could be started on ESXi(3)!

Clearly FT is the way to go if you feel you can not survive a ShoreTel HQ loss under any condition.  Understand that it is resource intensive, as you are minimally running twice the horsepower!  Also to keep the “mirror” images alike, you will need a high bandwidth connection between ESXi hosts to provide for “FT Logging” which is all the activity to copy real time between hosts.

As previously mentioned, a copy of VMware vSphere Essentials Kit which includes ESXi for a total of 6 processors or 3 severs with 2 processors each and a copy of vCenter along with updates for 1 year is about $560.  vSphere Essentials Enterprise Plus which adds in the functionality of vSphere Hypervisor, vMotion, Cross Switch vMotion, High Availability, Fault Tolerance, Data Protection, vShield Endpoint, vSphere Replication is $4229.   Support on all products can be purchase as needed or for term.

Out next project is to figure out how to do this all on Amazon Web Services and at what price!

The video shows key elements of this discussion!

 

ShoreTel fail over options using VMware – Part 2 the “Poor Man” Option!

A simple yet very effective step you can take to assure a high availability  is all but free!  It occurs to us that it is no longer acceptable to install ShoreTel on anything other than a VMware ESXi server!  Lets face it, you have to purchase a hardware package to host your server regardless of which way you go.   You have to purchase a copy of Microsoft Server, regardless of which way you go.  So how do we make this more cost effective?   From our perspective upgrade the hardware platform you have to purchase anyway,  to be a quad core with about 16 -32 GB of memory.  ESXi is still available for free, so download and install it on that platform then install the Microsoft Server on top of it!

Now you have your ShoreTel HQ server at the HQ site.  No harm no foul and you are positioned to do some really kool things.  First, clone the Microsoft Server and bring it up as a DVM.  The key here is to install the DVM at the same level as the HQ server, not below it as a child server.  Put you HQ users on this server and have this server manage all your HQ site ShoreGear switches.   The reason for this is, it is the cheapest most cost effect fail over you can provide.  ShoreTel servers fail up, OR across but not down. This means if the DVM fails, the HQ server will proxy for it for those users!  Forget all that Double Take Double Talk!  Just do it.

While you are at it, bring up a virtual ShoreGear User switch as a “spare” switch and also install the vConference switch. The spare switch enables you to spin up an alternative switch for any site, if a switch at a site goes down.  No cost to you unless you don’t fail bak in under 45 days! Why would you not do that?  Why would you work with a partner who did not just do this as a “best practice”.   Come on guys, this is like deployment 101,  just do it.  The freaking conference server is “free” as an IM solution and the licenses for the conference bridge and desktop sharing users is cost effective when compared to anything in the market including GoTomeeting and Webex!   Again, what is there to think about?

So now you have your VMware platform offering a HQ server, a fail over DVM server, User Switch and an IM server.   Consider that for the cost of a Microsoft Server (you saved that by cloning one, remember) you can purchase (hoepfully from us)  a copy of vmware Essentials.  This package adds vCenter to the mix and now you are kicking it.    vCenter sets up a centralized administration interface for your ESXi servers.  You can now setup heartbeats between the ESXi host and the VM machines as long as they are running VMware tools.   You can also run heartbeats between vCenter and the ESXi hosts so that on failure of a heartbeat, vCenter launches another instance of whatever serer went down on another cluster host!

Are you freaking kidding me?

The video shows you how to install the DVM at the same level as the HQ server and how to clone a virtual machine.  Subsequent videos will explore the high availability and Fault Tolerant options available with vCenter and clustered ESXi hosts.

 

WebRTC “peer to peer” Call Center Demo!

What is a “peer to peer” call center?  The concept is a fully functioning call center that exists only in the internet browser of the workgroup agents and supervisor participating.  In fact, no telephone lines are needed, beyond the published customer service number.  There is no large internal LAN network. No complex phone configuration, not eve n a handset. All communication with Agents is done through a Chrome or FireFox browser.  Your computer needs to have a microphone and be on the internet.  The microphone can be built in or be a USB based headset plugged into your computer. (Hey, here is an idea: Music on Hold is so last century, now we can have “video on hold”  show them a product demo)!
We created a demo at http://DrQOS.com (Dr Quality of Service, DrVoIP’s alter ego) that you can log into as username:agent1 with a password:test1234. The demo system has a fictitious company automated attendant and when you call the main number 619-717-2143 you will hear the FAKE menu and you should immediately press 1#. You will then be routed through to the logged in Agent. The agent is made ready by just logging into the portal. Click on answer and you will be connected and speaking through the webRTC protocol resident in your browser out to the caller (again remember only Chrome or Firefox browsers are supported).

NOTE – Please do not log in as the Agent and then call yourself through the Agent console, the demo is designed so you can see both sides.  You can be the agent or the caller, not both!   If there is no Agent logged in, the caller will be asked to leave a Voice Message.  In most Browsers the first time you click answer you will be prompted by the browser to grant access to your mic which you should allow!

 

2017 UPDATE – We have continue to develop the product and have taken down the above site.  It has now been replaced with a production ready solution built out on Twilio and AWS.   The product enables WebRTC as well as a variety of SMS services including text to email.  Please text the word DEMO to 424-348-4000 and we will set you up with a demo account.  Here is an overview of the product!

Can I text your Enterprise Contact Center?

Phone only ‘call centers’ have been rapidly replaced with ‘contact centers’ that can also handle email and chat communications.  Customers want more options for interacting with companies they buy products and services from.  Chat requires the customer to be at a computer and though email may be sent from a mobile phone, generally the sender is at a desktop.    In a wireless world in which every man, woman and child seems to wonder around with a ‘text’  or sms enabled device on their person, does it not make sense that they would want to text your call center?

Most call centers seem to be comfortable adding more and more incoming telephone lines, but never seem to add more agents?  We now queue up more clients to the same number of agents and expect that our customer satisfaction scores will increase with each new telephone line we add.   Chat and email increase the options that an agent can use to communicate with a customer, but only text offers location independent immediacy and the highest level of accuracy in CRM integrations.

A text will be read, on the average, within 10 seconds of its arrival.  It has a significantly higher read rate than email.  It is considered spam free, as you must opt in from you own mobile phone to receive future text messages.  As most folks under 30 do not even have a land line, using the CID of a SMS text will yield a much higher accuracy rate when doing screen pops from CRM integrations.    Self Service options for SMS are enormous and scheduling an agent call back could not be any easier!

What would you rather do: call into a contact center, listen to the obligatory menu of options, self navigate to the customer service group and then hear the first queue message: “the next available agent will be with you momentarily”; or send a SMS text message directly to the contact center group, by passing the automated attendant  and if you do not receive an immediate call back, receiving a confirmation text that an agent will call you at your mobile number in four minutes?

We have created a website to enable you to immediately setup a text based marketing campaign! You can create an account at our TEXT PORTAL  and select a phone number for your campaign and be in the digital marketing world in minutes.  We give you free SMS credits when you activate your account!  Interested in extending this capability to your Contact Center?  We can implement text functionality to your ShoreTel Contact Center or CISCO UCCX in a matter of hours!

Contact DrVoIP@DrVoIP.com or send the word CALLME to 603-426-3253 for sample application!  If you would like to test T2E (Text to Email) text your email address to the same number and we will set you up. – DrVoIP

ShoreTel iPBX phone system Training!

Phone Training is a double edged sword.   Everyone wants it  but nobody really wants to make the time commitment required to get comfortable with the new phone features that a system like ShoreTel brings to your  business.   Most folks figure it is a phone, how complex can it be?   That is true, ShoreTel phone are easy to manipulate and most features are intuitive.   There are however, a range of features that improve customer care, increase availability and enable you to achieve priority call management that are new concepts in business communications.   These features deserve some attention and the hour or so invested in learning about call handling modes, primary phones, simultaneous ring, follow me and custom call routing enjoy more than favorable return on time invested.

In addition to basic user training (we have to find another word to replace user, sounds like drug addict) ShoreTel has applications that also require training.  For example if you have an Enterprise Contact Center or a Work group environment, you will need to provide instruction for your Agents and Supervisors.    Are you using CRM connectors like Salesforce and Microsoft?  Do you have a custom application integrated with your ShoreTel?  Maybe the Recording or 911 application?   How about the Mobility server?   Are you using the iPhone and android aps?  Finally, all of these system need an educated System Administrator to handle adds moves and changes, who is going to provide that training?

When it comes to the basic ShoreTel phone system,  typically we break user training into basic phone handling and save the Communicator as a separate session.   Not everyone needs to learn Communicator, but everyone in the enterprise needs to know the basics phone function if they are going to be effective come “go live”.   How to setup your voice mail, assign your extension, manage multiple calls, transfer, conference and park are essential tricks that all employes should learn.   Generally, this is a 30-45 minute session and groups of 10 people around five handsets with an instructor using a projector for the call manager is a minimum training environment.  Like wise, to get through the Communicator, it will take another 45 minutes.   If you have to train several hundred people, over multiple sites, training is going to be a significant time investment and several days of Per Diem for an instructor on site!

We have found that web based training can be very effective for all of the various types of users that need to better understand these systems.    You can do large groups and a much lower cost without sacrificing the informational content.  Though we find mufti-media self paced training resources to be a very valuable as refrenece material or to help future new team members get up to speed, it is generally agreed that having an insturctor led webinar is a better solution.   The instructor can be aware of the specific configurations that uniquely define every deployment and can answer questions, propose feature solutions and generally help folks better understand the rich library of features they are about to make use of.  System Administration is without question easily done by web, as you are just going to log into a Shareware Director portal anyway!   No need for everyone to hurdle in the server room!

We can help you with distance learning solutions (or come on site) custom tailored to you deployment.  We can cover the full range of ShoreTel products and generally enjoy helping folks!   Give us call or  Text “ShowMe” to 15165197813 and we will setup a meet!