Product Description OmniPCX Enterprise R9

Neogate Session Border Controller

8AL020033199TCASA ed 1 October, 2008

Alcatel-Lucent Corporate Communication Solutions All Rights Reserved Alcatel-Lucent 2007

1. Introduction
In today IP Telephony deployments , VoIP is used inside the private IP network of an enterprise . To communicate with the external world , TDM interfaces are used. VoIP will have to cross the IP borders of the enterprise, to bridge VoIP islands and because TDM will get less and less prevalent. SIP trunking, Remote SIP worker , Hosted OXE are among the services that require that VoIP crosses the IP border of the enterprise. On a data point of view, Firewalls are used today to control the data going to or coming from external IP networks. Nevertheless, managing VoIP traversal poses a number of challenges that are solved by SBC functions. These challenges are solved at the applicative level : the SBC is active (session aware Back to Back User Agent, can change the session parameters) on the SIP session between the enterprise and the external world. NeoGate is an Enterprise-class SBC (Session Border Controller) a new breed of networking equipment, specifically built to handle VoIP traffic in real time. Neogate is the enterprise version of NeoXBC . NeoXBC is an SBC (Session Border Controller) dedicated to the Service Provider market. NeoGate enables enterprises to switch their voice services from PSTN to full IP networks, thereby achieving greater cost optimization, without compromising security ,performances and quality of service to users. Neogate in OXE environment will solve following issues connectivity interoperability security quality of service

This document describes NeoGate capabilities in an Enterprise VoIP Network controlled by AlcatelLucent OmniPCX Enterprise. Neogate, when resold by ALU Enterprise, will only be supported in ALU Enterprise environment for described use cases (with OXE IPPBX). Some features available in Neogate will not be supported in ALU environment. This is indicated in the document.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 2

2. Deployment Areas

Several services are enabled thanks to NeoGate. VoIP deployments are depicted in the figure below:

Figure 1: General Architecture

SIP trunking : TDM (T2, T0, analog) is the prevalent way to connect enterprises to carriers. This is changing, as native SIP offers are coming in the carrier space, with the emergence of NGN and IMS networks. OXE connects to NGN/IMS networks through its SIP public trunk directly. In some cases, an Enterprise SBC is required between OXE and the NGN/IMS network. NeoGate solves SIP trunking connectivity issue by providing NAT traversal between the companys LAN/WAN and the operators network, as well as security, QoS management, bandwidth management, routing functions and SIP protocol interoperability.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 3

Remote worker/mobile worker/remote office: Employees are more and more working from outside the enterprise geographical borders. They want to have the same services as if they were sitting at their desk. For the enterprise itself, cost must be contained and using the Internet as a connection between the employee and the enterprise is very cost effective. NeoGate solves remote SIP device connectivity through the Internet issue by providing Hosted NAT traversal for SIP protocol, as well as strong security, QoS, bandwidth management, routing functions and SIP communication protocol interoperability.

Hosted OmniPCX Enterprise: ALU Business Partners and Large Enterprises aim at being the service provider for a number of enterprises or affiliates. The requirement is to be able to provide IP communications between the enterprises and the public network through Enterprise Service Provider systems (hosted OXE), without requiring any change in the IP infrastructure at customer site (no IP routing between enterprises ; overlap IP addressing plans). Neogate solves the issue of allowing communications between different IP networks by providing NAT traversal, for Alcatel-Lucent proprietary protocols, as well as security, QoS, bandwidth management, routing functions

1.1.

SIP trunking

Incumbent and alternative carriers are upgrading their networks to NGN and IMS. Business Trunking is a key offering in the service providers portfolio, connecting the enterprise PBX or IP-PBX to the core VoIP infrastructure natively in SIP, without using TDM gateways. But interconnecting customers with its VoIP platform is not simple for an operator, and implies numerous technical problems like interoperability or NAT traversal, as well as security and QoS management issues. Comverse provides operators with equipment for their Business Trunking solutions. NeoXBC is located at the edge of the operators network, between the companys equipment (PBX or IP-PBX) and its softswitch.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 4

From an enterprise perspective, SIP Business Trunking also creates some challenges. NAT traversal for VoIP may be solved by carrier SBC but depending on carrier services, this could also be solved by the Enterprise. The customer IP network is interconnected to the carrier VoIP network through an customer IPVPN, through an IP managed service or through the Internet. Depending on the type of connectivity and the customer security awareness, OXE IP PBX could be directly be connected to the carrier SBC or an intermediate device is necessary for the protection of the enterprise network from the external network. NeoGate connects OXE to voice over IP operators while assuring the masking of its own network. This solution protects the entire enterprise network while only giving Neogate as the interconnection point to prevent the diffusion of any of the addresses of the VoIP terminals and equipment. The enterprise can thus retain a private addressing plan for voice over IP while authorizing the connection to third parties. Other security functions are done by Neogate. Protection against Distributed DOS attacks, IP spoofing, integrity check, statefull inspection and VoIP firewalling is also provided. SIP trunking implementations may be different between IPPBXs and NGN/IMS networks. Neogate can help for protocol normalization in order that incompatible SIP options are solved at the SBC level. For instance, a carrier only supports DTMF in info message. Neogate will transcode info message into RFC 4733 DTMF, which is understood by OXE Enterprise may want to hide also its SIP gateways topology from the carrier (if several OXEs with 1 SIP gateway each). Carrier may also not want to manage the topology of the customer network (building one SIP gateway per OXE and manage the routing between the gateways). Using Neogate between the OXE network and the carrier network, will allow the routing of SIP sessions between the carrier and IPPBX network. It may also solve OXE redundancy management (main standby) , if this mechanism is not implemented by carrier. In case the enterprise gets services from several SIP carriers, Neogate ensures the connectivity and security part, as well as routing between carriers. To ensure Quality Of Services for voice calls, Neogate has a number of mechanisms: - Call Admission Control, that complements CAC on OXE, avoids overbooking the WAN bandwidth with real time traffic - Rewriting of TOS/DiffServ Class Of services to adapt to Carrier constraints. - QoS probe and Call Detail Records, gives accurate information on the quality of Voice communications to control SLA with carrier.

1.2.

Remote worker
Several technologies exist to connect remote employees to their enterprise like IP Sec VPNs and SSL VPNs or native https. Employee and enterprise are interconnected through the Internet.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 5

For multimedia, it is possible to have native SIP connectivity between the enterprise and the employee terminal without any VPN client. Any SIP device can potentially be used remotely! More and more terminals will be used inside the enterprise and outside the enterprise, like dual mode mobile phones or even SIP hardphones. Having a different access method for inside and outside is heavy and complex to manage. Neogate allows remote connectivity of SIP terminals. Remote SIP devices register through Neogate which allows: SIP device authentication for increased security Resolution of Hosted NAT Traversal issue in SIP (when level 3 NAT is performed at the far end, for instance at home behind a DSL router) Security is also enforced at Neogates level for VoIP. Neogate will be colocated in the DMZ with the data firewall. Encryption on SIP with SIP TLS and SRTP is foreseen in a future release of Neogate. Quality of service is also managed by Neogate: CAC, At the difference of IP Sec VPNs where the media flow is between the VPN server and the VPN client, Neogate will try to optimize the RTP flow between 2 remote devices, avoiding transit through Neogate and thus saving bandwidth. CAC mechanism is managing this case.

1.3.

Hosted OXE
At the difference of the SIP cases, the Hosted OXE case concerns mainly the Alcatel proprietary protocol used between IP Touch phones, IPMGs and the OXE server. This proprietary protocol is named UA/IP. SIP terminals are supported also in this mode.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 6

Hosted OXE is used by ALU Business Partners or IT/IS department of Large Enterprises to provide services to 3rd party enterprises or affiliates on the same model as carriers do. On an IP infrastructure aspect, the IP networks of the customers are completely separated and may also have overlapping IP addressing plan. The IP network of the Enterprise Service Provider is also separated from the customers one.

OXE in combination with Neogate will allow to provide communications services from a single or several OXE platforms located in the BP/IT Dept network. NAT traversal is managed by Neogate as dynamic firewalling for VoIP transiting between the different IP networks. NAT traversal is provided through the VLAN aggregation feature on Neogate (multi-VLANs) Hosted OXE is often linked to SIP trunking (for routing of communications from the customers to the Public network) Concerning the flows, Neogate will ensure that direct RTP is established between 2 IP Touch phones in the same VLAN. As of today, only a part of the OXE services as been validated, therefore supported. Any project requiring this function should be controlled by central. Non supported functions through NAT (not exhaustive) Hosted NAT traversal is not supported on UA/IP protocol. ABC is not supported (NAT between 2 ABC nodes) PCS not supported Encryption not supported. No direct RTP between SIP and UA/IP in the same VLAN IMPG not supported (IMPG must be on the same network than OXE CS)

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 7

3. Key Benefits
There are many session border controllers on the market, but very few offer the same functions for the main VoIP protocols and adapt to a variety of business cases and network architectures. Below is highlighted what makes NeoGate a unique platform to ensure the successful deployment in enterprise environment. Software based , scalable solution : Neogate is a solution with integrated load-balancing and redundancy that can scale from a few sessions up to 88 000 concurrent sessions on a single platform. Its soft-DSP engine is software-based and runs on off-the-shelf Intel platforms from HP, IBM. This provides ease of use and maintenance and lower cost of ownership compared to proprietary hardware. It is also easier and more cost-effective to manage large amount of traffic by simply adding and removing servers units unlike proprietary systems that use expensive DSP and are not scalable. Future evolutions could allow to run Neogate with other communications applications on a single server (Virtualization) to address medium enterprises. Capitalize on generic NeoXBC platform: Neogate naturally benefits from all the evolutions made on carrier grade NeoXBC for better integration of the Enterprise Network in NGN/IMS carrier networks. Integrated QoS Probe: Neogate includes a QoS probe that delivers a variety of performances metrics such as delay, jitter, latency, packet loss as well as complete knowledge of the call context: codec, terminals, length of the calls, caller, callee

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 8

4. Product Architecture 1.4. Software Architecture

1.4.1. Internal Architecture

Neogate is composed of an Application Layer Gateway (ALG), available for the main VoIP protocols (H.323, SIP, and RTSP) and one or several Media Proxies. The ALG processes the signaling by applying the address translation and a set of mechanisms related to the signaling, while the Media Proxy provides dynamic routing and filtering of VoIP packets, as well as NAT and PAT address translation of voice and video flows. This diagram shows the different modules comprising Neogate solution. The functions of each module are described below.

Figure 2 : Internal Architecture

1.4.2. Functional Modules Description

NeoGate is composed of two main elements: ALG (Application Layer Gateway): Responsible for the management of SIP, H323, RTSP and Alcatel protocols signaling (address translation, management of the customer and call contexts...). Note: H323,RTSP protocols are not supported in ALU environment.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 9

MP (Media Proxy): Routes and filters voice media streams processing (audio and video) on the order of the ALG. The Media Proxy provides dynamic routing and filtering for packets based on a distributed model, opening session command between the ALG and the Media-Proxy. Several MPs can be attached to one ALG. These elements can be integrated on the same hardware or can be split into separate hardware. They are adapted to both compact and distributed architectures.

The other elements comprising NeoGate are: GUI: Graphical User Interface for configuration, administration and monitoring. CLI: Command Line Interface for configuration, administration and monitoring. SNMP Agent: SNMP agent option for the supervision of systems with terminal disconnection, alarm feedback, CPU/memory levels, etc. Policy Server: Internal policy server for Call Admission Control or possibility to interconnect Neogate to an external Policy Server that accepts or refuses calls according to the data issued by a network management system. External policy server function is not used in ALU environment. Access Registrar (AR) : Integrated SIP Registrar or H.323 Access Gatekeeper This function is not used in ALU environment. Call Routing Engine (CR) : Module which manages Call Routing QoS Probe: Module for analyzing voice over IP exchanges to determine packet loss, delay, and jitter, and to calculate a voice grade information following the E model. This probe is very important to make the system easier to operate and to reduce operating costs. The investigation of quality of service defects for voice over IP is very sensitive and generally requires the use of specific tools. The tool proposed is integrated to enable the operator to provide the customer with indicators in response to the SLA. PSDK (Proxy Software Development Kit): a powerful API that enables the integration of NeoGate into third-party applications such as OSS, billing systems or policy servers and provides Call Admission Control capabilities. This function is not used in ALU environment

1.5.

Platform Architecture

Neogate supports both compact and distributed architectures. In ALU environment only compact architectures are supported.

1.5.1. Compact Architectures

On compact architectures, all the modules are co-localized on a single server.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 10

Figure 3: Compact Architectures In this case, the redundancy model is in 1+1 for all of the modules.

1.5.2. Distributed Architectures

NeoGate also supports distributed architectures. Some modules can be split on several servers in order to increase the capacities, benefiting from the full capacities of the host hardware ALG on one server and MP on another). Not supported in ALU environment

1.6.

Network Topology

NeoGate is a very flexible product that can be smoothly integrated in various existing environments, limiting integration efforts and costs.

1.6.1. Multi-VLANs Mode

Neogate supports the 802.1Q standard. NeoGate solves the special issues related to VoIP traffic crossing VPNs, and ending on a virtual aggregation router (recognition of VPN IDs, local or remote private addresses overlapping ) but also ensures that all networks are correctly isolated, as well as the carriers internal network. This configuration is very useful for managing QoS and security for the enterprises.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 11

Figure 4: Multi-VLANs Architecture

1.6.2. Multi-Interfaces Mode

NeoGate also offers a multi-interfaces mode, enabling operators: To have one interface per customer (emulation of several SBCs) To interconnect several networks with different addressing plans, and so, to have a dedicated IP address in customer address plan (local overlapping supported with VLANs) To do call routing with interfaces information (Associated routing table for advanced routing)

Figure 5 : Multi-Interfaces Architecture

1.6.3. IP Address Overlapping

NeoGate supports both local IP address overlapping (same IP address on Neogate for several VLANs) and remote (the customer can have the same addressing plan inside their VLANs). This function is used in Hosted OXE case and enables the Enterprise Service Provider to offer communication service to their customers without having to ask them to modify their existing networks IP addressing plans.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 12

1.6.4. DMZ Mode

The DMZ mode enables NeoGate to stand in a DMZ zone (DeMilitarized Zone) instead of in front of the network. The following figure is an example of DMZ architecture:

Figure 6 : NeoGate in DMZ Mode

This can be used in all cases (SIP trunk, SIP remote worker, Hosted OXE) The existing data firewall does not need to be replaced and it will delegate VoIP security to Neogate. They are 2 ways to deploy Neogate in the DMZ

1.6.4.1.

Deployment : Firewalling companion (public area)

The SBC is located in a DMZ and a router firewall is located between the DMZ/Enterprise LAN and Internet. The data and multimedia traffic are separated: only the multimedia traffic crosses over the SBC. The SBC manages public IP addresses.

DMZ

VPN IPSec Server (optional)

Multim dia

public IP address Router / FW

SBC SBC SBC

Enterprise LAN Data

Internet public IP address

This mode is not intrusive in the data-firewall but the data firewall will not protect the SBC from . Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 13

1.6.4.2.

Deployment : Firewalling companion (private area)

The traffic is the same as in public area, but the SBC manages private IP addresses.
DMZ
VPN IPSec Server (optional)

Multim dia Security SBC SBC SBC box private IP address

private IP address

Router / FW (NAT level 3)

Enterprise LAN

Internet Data public IP address

In this mode, the data firewall provides a first level of security to the SBC (except VoIP security) but is more intrusive in the data firewall. Level 3 NAT is performed by the data firewall.

1.7.

Availability Mechanisms

1.7.1. Fault Tolerance and High Availability in Cluster Mode

A fault-tolerant solution is available with this architecture.

Figure 7: High-Availability Architecture in Cluster Mode Network Fault Tolerance: To provide network fault tolerance, a double Ethernet attachment option is recommended. The dual-LAN solution is based on the use of a double port network card. This enables a machine to be connected to a double LAN by using a single card. Hardware Fault Tolerance: To ensure hardware fault tolerance, several procedures are carried out in order to ensure security: Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 14

The solution is installed on fully redundant servers (power supply, hard drives) A cross-bonding is performed on the dual-LAN cards in order to improve the interest of double attachment.

Figure 8: Cross-Bonding Configuration In the same way to ensure hardware fault tolerance, it is advisable to add a second back-up server in parallel (as shown in the diagram above). This cluster is composed of one active and one backup server that share the same IP address and are managed with a Heartbeat system. When the first server "crashes", the second one takes over. Software Fault Tolerance A crone manager constantly monitors whether the processes are running. If they are down, the cron manager is in charge of re-launching the process. Several watchdogs run on Neogate in order to monitor processes, call states, etc.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 15

5. Protocols and interfaces 1.8. Protocols

1.8.1. SIP protocol

SIP protocol is supported by Neogate. List of supported RFCs is in Annex A.

1.8.2. H323
Neogate supports H323. H323 is not supported in ALU environment H323/SIP Interworking Function is not supported in ALU environment

1.8.3. Alcatel-Lucent UA/IP

NeoGate supports UA/IP protocol, the proprietary protocol of Alcatel-Lucent. UA/IP used between Omni PCX Enterprise IPPBX and IP Touch series 8 Endpoints.

1.8.4. DTMF Management

Neogate supports in-band and out-band DTMF. Support of RFC 4733 (obs. RFC 2833): RTP Payload for DTMF Digits, Telephony Tones and Telephony Signals. DTMF Translation Neogate is also able to perform out-band DTMF/RFC 4733 DTMF conversion. (eg, msg info to RFC4733)

1.8.5. Overlap Sending SIP

In order to enables interoperability with some PSTN gateways, Neogate supports overlap sending SIP. All dialling information (DTMF) are sent in separate INVITE messages digit per digit. Overlap sending not used in Alcatel Environment.

1.8.6. Facsimile Transport

Neogate supports T.38 protocol for facsimile transport. Neogate also supports fax and modem pass through. Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 16

Fax and modem pass through (transparent G711) not supported in ALU environment.

1.9.

Interfaces

1.9.1. PSDK
Not supported in ALU environment The PSDK (Proxy Software Development Kit) is a powerful tool that enables developers to interface Neogate with external applications, such as policy server, billing systems, and OSS or quality management. It is available as a software library written in C++ language for SIP protocol Not supported on UA/IP protocol Here are the main services provided by the SDK: Service Information Orders Events Functionality Possibility of getting information of the Neogate among an exhaustive list of information Possibility of sending orders to the Neogate among an exhaustive list of orders Possibility of positioning callbacks on the events of the Neogate among an exhaustive list of events

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 17

6. Functional Description 1.10. Network Address Translation

NAT Traversal

1.10.1.

Neogate is a robust platform that provides end-to-end VoIP calls through routers, firewalls and softswitches. Network Address Translation (NAT), for instance, is usually not possible as internal private network addresses are present both in the headers and bodies of VoIP packets. Using an ALG, Neogate makes the necessary modifications on all packets so that internal addresses remain hidden as well as the network topology. It also ensures the translation of private network addresses in such a way that only the public address of Neogate is known from outside parties, not the private addresses of the IP terminals and Call Servers.

1.10.2.

Hosted NAT Traversal

Hosted NAT traversal is used in remote worker case NeoGate intercepts VoIP packets and changes them so that they are recognizable by the legacy firewall or NAT device. The SBC mediates between the LAN and the Internet by modifying the signaling and bearer packets in both directions. This functionality is referred to as network-hosted NAT traversal, since the SBC is located typically in the Enterprise VoIP network and performs the modifications to the incoming and outgoing VoIP packets from a centralized location. This functionality is available only in SIP , not on UA IP. The benefits of network-hosted NAT traversal to the enterprise are numerous: No additional customer premise equipment (VPN gateway) is required: Neogate is thus a very cost-effective solution. No change is required to existing network infrastructure or to firewalls, IADs, or other NAT devices that are located at the customer site. Security is kept intact as private addresses can be utilized for all VoIP end-user devices. The solution is compatible with most SIP end devices and NAT/firewall premise equipment types, making it easy and fast to implement. Neogate will try to establish direct RTP between SIP devices if they are on the same side of Neogate (eg remote worker to remote worker) behind the same NAT Router. For RTP optimization between endpoints behind 2 different NAT routers it is recommended to deactivate direct RTP, to avoid cases where routing between routers is not allowed.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 18

1.11.

Security

All incoming VoIP traffic that enters the LAN or the operators network goes through Neogate, which modifies the signaling and media IP packets in both directions, hiding network topology by performing L3 & L5 NAPT (Network Address and Port Translations) and continuously monitoring the packets to confirm that the voice is coming from an authorized source. The authentication module checks for the existence of the users in an external base when registering terminals or setting up calls. NeoGate is then able to thwart attacks in real time. It stops at the border of the network all illegitimate sessions attempts and protects softswitches, application/media servers and gateways from malicious attacks, such as address spoofing, rogue RTP, or Denial of Service. Neogate has a behavior close to firewalls, but is more dedicated to VoIP, acting at three different levels: Security of the Box: Protection against ports scanning (1) Security of the Software: Protection against DoS attacks, overflow etc (2) Security of VoIP: Protection against VoIP-specific attacks, deep packet inspection, adaptive filtering(3)

Figure 9 : Three Levels of Security

1.11.1.

Firewall

1.11.1.1. General Firewalling

Protection of TCP/IP Pile Protection against SYN Flooding attacks Banning of source according to packets routing Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 19

Ignoring broadcasted ICMP packets, badly formatted packets and forwarded packets Banning of forwarded packets Ignoring modified packets that pretend to come from an interface which is different from the interface where they come from Protection Against Exploration All TCP packets are filtered and inspected. All badly formatted packets are dropped. That prevents exploration through badly formatted connection requests that can reveal information about open ports. ICMP exploration is impossible because all packets of that protocol are dropped by the internal firewall. Traffic Routing All traffic that is not at destination of the Neogate (both interfaces) is dropped by the internal firewall. Broadcast and ICMP All broadcasted traffic as well as ICMP traffic is dropped except Heartbeats one (port 694).

1.11.1.2. Dynamic VoIP Firewall

Neogate stands at the border of the network. Its internal firewall filters all VoIP streams. Another VoIP firewall is not required in the company (only for data). However, Neogate can also take place behind an external firewall, for example, when it stands in the DMZ of the companys LAN. Neogate is responsible for dynamically opening and closing pinholes in the internal firewalls to allow VoIP streams to go through. For instance, all IP Phones are able to be registered with Neogate using the same pinhole (typically the 5060 in SIP) instead of leaving constantly opened a large range of ports. For the RTP flows, Neogate opens and closes pinholes in the internal firewall depending on the number of simultaneous calls or sessions. When a session is closed, the corresponding port is also closed. The following figure describes the operating mode of the firewalling:

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 20

Figure 10: Dynamic Firewall This solution is plug and play, as it does not require any configuration on the external firewall or the IP phones, except that all of the ranges of ports associated to VoIP traffic must be open on the external firewall. All traffic arriving on these ports will be forwarded to Neogates corresponding ports. The administrator can also choose the range of ports affected to VoIP sessions as well as the streams to be NATed (signaling/ media and signaling) to increase the performance and security.

1.11.2.

Network Topology Hiding

Sitting in front of the firewall, Neogate is positioned to hide the LAN topology behind it, and to prevent topology leakage across all the possible request methods embedded in IP headers that could reveal private addresses for CPE. Neogate hides network topology by performing NAPT (network address and port translations) on all signaling and media IP packets. Moreover, it goes beyond the Layer 3-only NAPT performed by firewalls and routers. Internal IP addresses can also be exposed in signaling messages including error messages. Consequently, signaling and error messages are inspected by Neogate for embedded IP addresses and rewritten if present.

1.11.3.

Deep Packet Inspection

Neogate inspects all packets that enter the network to see if they are correctly structured. If not, it denies the call. Once the signaling stream is authorized, Neogate continues to monitor the packets to confirm that the voice is coming from an authorized source. If the source changes, Neogate determines whether this is an authorized change (a gateway failover recovery, for instance) or if someone is trying to attack the network using rogue RTP. For example, the session controller detects whether an incoming signaling message is a real setup/invite or a mock setup/invite. Or, if there is a large number of setup/invite from an accepted source, it determines their validity. If they are not from an accepted source, there could be a problem with an end device or a denial of service attack in progress and the call is stopped Product Description OmniPCX Enterprise R9 - Neogate SBC Page 21 8AL020033199TCASA ed 1 October , 2008

immediately. If the large number of invites is valid, the session controller restricts the number of simultaneous invites so as not to overload the OXE IPPBX.

1.11.4.

Protection Against Attacks

Network administrators must take into account the increased vulnerability resulting from convergence of networks, which are no longer insulated from each other. The TDM network can also be attacked using VoIP streams. Neogate, acting as an application firewall, but dedicated to VoIP, secures the whole network from malicious attacks, such as session hijacking RTP and SIP INVITE flooding, and Denial of Service.

1.11.5.

Authentication

The authentication service (AAA) of Neogate allows the interception of a registration request from an IP phone client and checks for the existence of the users in an external base (Radius, SQL, ...) when registering terminals or setting up calls. This enables the enterprise to protect itscore network by checking the identity of users at the borders instead of on the IPPBX. The scheme below shows the principle of an authentication application using SIP protocol:

Figure 11: Principle of Authentication in SIP Protocol Neogate supports several methods of authentication. It can use a local file or a request to a Radius server. Authentication in NeoGate is not supported today in ALU environment. For the remote worker scenario, SIP devices are registered on the OXE, not the Neogate. SIP Authentication is performed by OXE. Authentication at the edge by Neogate (with registration on OXE) will be provided in a future release of Neogate.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 22

1.12.

Access Registrar

Not used in ALU environment To decrease the load of external access registrar (Access Gatekeeper or SIP Registrar) and increase Neogates performance, it is possible to use the ALG as a SIP Registrar for SIP. Neogate is then able to perform user registration and authentication on the enterprise border limiting the number of transactions and increasing the capacity of IPPBX s platform to handle calls and maintain a high quality of service. The figure below describes the architecture of the platform with or without integrated access registrar:

Figure 12: Architecture with/ without Integrated Access Registrar

1.12.1.

SIP Registrar

Note: Not used in ALU OXE environment. In the same way, NeoXBC proposes integrating an optional SIP Registrar Module. A registrar is a server that accepts REGISTER requests and stores all registered user information locally. Before accepting the REGISTER, the SIP registrar can do an authentication request. The diagram below illustrates a registration call flow with an authentication request. The registrar server is in charge of relaying all SIP messages. During the registration, the registrar doesnt give information about the SIP server that will manage the call session. This model is applied when the registrar option is activated on the NeoXBC.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 23

Figure 13: Registration on Integrated SIP Registrar

1.13.

Notion of Trunk Group (TG)

Forewords: Definition

1.13.1.

Signaling Point: A signalling point is equipment at the origin of the signalling, or which is the destination of this flow. It can be a gateway, a softswitch, a router or an IP phone. Trunk Group: A trunk group represents a group of signalling points with common properties. A trunk group can be defined by: A list of IPPBxs A netmask: subnet network An interface An IP address : IP address of a distant point like remote box or router An range of aliases (SIP user part of the SIP URI) A domain name (SIP only)

1.13.2.

Associated Features

Call Admission Control Two levels to manage the CAC are necessary. A trunk group has a CAC policy and each signalling point of the trunk group has its own CAC policy. The trunk group policy has a higher priority than the single signalling point policy. The cumulated capacities of all signalling points can be superior to the global trunk group capacities, however, only the trunk group capacities can be reached. Neogate supports two types of CAC: call number limitation and bandwidth limitation. Each CAC policy definition is divided into two rules: one for global calls, one for outbound calls. The call Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 24

limitation and the bandwidth limitation can be activated in same time. The first one reached stops the call admission. Codecs Management A codec profile is defined for each trunk group. If no list codec is defined, the trunk group must support all the codecs. When a call is forwarded to a trunk group, the Neogate must limit the CODEC list to the authorized codec defined for this one. If there is no common codec, NeoXBC can decide either to perform codec translation (if transcoding module available) or reject the call.

Load Balancing Thanks to Trunk Group function, Neogate can perform load balancing between the SP comprising the TG.

Figure 14 : Trunk Group Configuration on GUI

1.14.

Advanced Routing
Routing Rules

1.14.1.

Neogate offers several routing rules: Routing per alias (range of alias with wildcard) Routing per domain name (SIP) Routing per IP address Routing per interface/per port RFC 4904 - like Trunk Group routing (Not supported in ALU environment) Default/static routing Emergency routing (SIP only)

1.14.2.

Load Balancing

Thanks to Trunk Group function, Neogate can perform load balancing. Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 25

Several methods are implemented:

Figure 15 : Load-Balancing Algorithms Round Robin: All softswitches are stored in a ring, ignoring their priorities. The softswitches are used one after the other. Those that are down or full are not used. Priority: This is the same round-robin algorithm, except that one ring is created for each priority of softswitches. For each call, the ring with the greatest priority is first used. If all its softswitches are unavailable (full capacities or unreachable), the following ring is used, and so on. Master/Slave: A trunk group with this algorithm has only two softswitches, one master and one slave. The master is always used, until it fails. The slave is then used, but only until the master comes up again. The master is defined by the first softswitch with priority 1 that refers the trunk group. The slave is the first softswitch with priority 2 that refers the trunk group. CAC-Weight: A CAC-weight-based load-balancing algorithm. The trunk group uses at any time the least loaded softswitch, using the softswitch CAC properties.

1.14.3.

Alias Translation

The alias translation feature, available in SIP only, enables the transformation of the called and calling alias during the transfer of a SIP package through the ALG. Several rules are available: Add: Takes all that is matched by * in the alias and adds a prefix to it. Rmv: Erases N characters based from the beginning of the alias Rewrite: Replaces everything matched by * in the alias Replace: Replaces everything not matched by * in the alias One or more translations can be declared around a routing rule to be used.

1.15.

QoS and SLA Assurance

Not available with UA/IP Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 26

1.15.1.

Call Admission Control

Integrated CAC Module The implementation of Call Admission Control enables Neogate to maintain a guaranteed QoS by refusing calls when the number of calls or the bandwidth reaches a certain threshold. To protect against infrastructure overloads, for instance in Trunking configuration, if the access link between the softswitch and the IPBX is at capacity or the softswitch cannot handle more than 50 calls, Neogate will gracefully reject new call requests because adding just one more call will deteriorate the quality of every active call. For Trunking deployments, this functionality also allows the operator to propose different commercial offers based on the number of authorized simultaneous calls. These admission control issues also apply to transit links between providers (peering mode). Every transit link has a finite capacity and the number of active sessions must be actively managed to prevent that one more call from deteriorating quality for all calls. Neogate allows ISP and telecom operators to offer voice and video IP services with guaranteed service levels while maximizing the utilization of network resources. Notion of CAC Profile Whenever during the provisioning, it is possible to define CAC profiles. A CAC profile is a set a CAC rules which can be associated to one or several Trunk-Groups or to one or several Signaling Points. The main parameters are: A unique ID Parameters for CAC per calls o Max calls and max outbound calls Max bandwidth (in bps) Max outbound bandwidth (in bps) Parameters for CAC per bandwidth (roadmap) o o

The following screenshot shows an example of configuration.

Figure 16: CAC Profile Declaration Menu

External CAC Not used in ALU environment Neogate can also be connected to an external Policy Server that accepts or refuses calls according to the data issued by a network management system. This module can allow the continuation of a call by returning the codec list used by a request sender, or force the end of the call. Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 27

For example, in the framework of IMS, Neogate as P-CSCF interacts with the PDF (Policy Decision Function) through the normalized Gq interface.

1.15.2.

Codec Management

The management of QoS is a most important challenge for Next Generation Networks. QoS management is a difficult compromise between the available bandwidth and the quality of voice encoding, also depending on Codec choice. In the normal course of a VoIP call, codec negotiation is performed by endpoints, which choose a codec (by type of media) among the common codecs list. Some operators would like to be able to force the use of determined codecs on their network to obtain the best compromise between audio and video quality and the used band-width. To answer to these issues, Neogate supports a Codec restriction module integrating a transcoding module. Notion of Codec Profile On the same principle as CAC profile, it is possible to define for each trunk/trunk group, to define an associated codec profile, defined by a list of authorized codecs and a list of unauthorized ones. The following screenshot shows codec profile configuration in GUI:

Figure 17 : Screenshot from Codec Profile Configuration Codec Restriction Module The codec restriction module is a software-based solution, integrated in Neogate: It makes it possible for operators to force the endpoint to use determined codecs (allowed/denied in codec profile), modifying the codec list exchanged between the endpoints in their SDP offers If there is incompatibility of codecs for a call, the codec restriction module decides Either to terminate the call (field enable Transcoding at no) Or to use the associated Transcoding module, which will carry out transcoding of media flows in real time (field enable Transcoding at yes) Codec Translation Not used in ALU environment Neogate proposes as an option, a hardware codec translator that allows users to change the codec during communication, and uses a single common codec for voice transmission, no matter what different codecs are implemented on the access network by the clients. Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 28

1.15.3.

QoS Marking

Static Marking Thanks to Neogate, it is possible to perform static DSCP marking configuring the following values: Signaling DSCP value Media DSCP value These values are configurable by interfaces. Dynamic marking Not supported in ALU environement This function, driven by external resources, allows a dynamic QoS marking of the packets. It is therefore possible to affect a changing class of service regarding specific policies.

1.15.4.

QoS Probe

The investigation of quality of service defects for VoIP is very sensitive and generally requires the use of specific tools. Neogate offers an optional QoS probe to monitor quality of VoIP calls through the network and diagnostic failures in the network architecture. The functionalities of NeoQoS can be split into two parts: Voice Grade Information in CDRs Graphical Interface for Monitoring For each call, NeoQoS retrieves information from ALG and MP about the quality of the call and complete CDRs with the following information: From the ALG: Call identifiers Caller/called identification (E164, alias, IP address, terminal type) Start time and duration Audio and video used codecs From MP in RTP packets Number of packets and lost packets Jitter Bandwidth From MP in RTCP packet Delay (RTPD : Round Trip Propagation Delay) Moreover, thanks to NeoQoS, it is possible to get QoS statistics for daily report and monthly report: R-Mark (min/avg/max) Bandwidth (min/avg/max) Number of calls Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 29

Number of registered clients Call duration (min/avg/max) Audio and video codecs distribution End of call status Call distribution (LAN-LAN, LAN-WAN...) Jitter (min/avg/max) Packet loss (min/avg/max) NeoQoS also proposes a graphical interface, fully integrated in Neogate GUI which allows having a graphical representation of all the results, which is easier to analyze. Here are some screenshots from NeoQoS:

Figure 18: Statistics for One Day It is possible to put filters on different characteristics to have the more relevant information ones needs.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 30

Figure 19 : Filters Definition

Figure 20 : Detailed Statistics for One Call The probe is not integrated in the A4760 management platform.

1.16.

Interoperability

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 31

1.16.1.

Codec Translation

Not supported in ALU environment The Transcoding module is a hardware-based solution from the market, which is integrated in the NeoXBC solution and which can be co-localized on the same hardware or installed on dedicated equipment, according to the required capacities and targeted architecture. According to the policy defined in the Codec profile, NeoXBC is in charge of piloting the DSP thanks to its proprietary protocol. This solution supports the following codecs: G.711Mu-Law, G.711 a-law, G.729A, G.723.1 Low?,. Transcoding from any to any of these audio Codecs is possible.

1.16.2.

Emergency Calls

Not used in ALU environment In SIP, it is possible to define a static route for emergency calls.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 32

7. Administration Operation and Maintenance 1.17. OAM Tools

Command Line Interface (CLI) Graphical User Interface (GUI) SNMP agent Log and statistics Call Detail Records (CDRs) QoS Probe All of these tools are described in detail in the following sections. Neogate offers several tools to manage administration, operations, and maintenance:

1.17.1.

Command Line Interface CLI

The CLI allows the administration of NeoXBC from an appropriate and secured environment to avoid the errors commonly made when using the classic Unix Shell. NeoXBCs CLI offers two levels of privileges: Administration Supervision Numerous commands are available on Neogates CLI that show the system status, to manage the NeoXBC services and revisions. Additional commands are available to enter into new modes that enable to configure, administer, or debug the Neogate. The main functionalities among this list are the followings: Usual functions: Commands completion, Command history Configuration of both ALG and MPs parameters Configuration of some system variables: network interface Start / Stop the system and some process See the service state: number of clients, number of calls

1.17.2.

Graphical User Interface GUI

The GUI is a user-friendly Web interface that allows administrating, operating and supervising Neogate from a graphical and secured environment. Configuration The GUI offers a very intuitive interface to configure the whole system (ALGs, MP, SNMP agent, system interfaces, QoS policies)

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 33

Figure 21 : Configuration Menu Provisioning: The graphical interface is also very useful for provisioning (Trunk Group, CAC profiles, Codec profiles, Routing rules)

Figure 22 : Provisioning Menu from SIP ALG In addition to these different menus, the GUI also offers some tools which enables to ease wide scale provisioning. Indeed, a wizard tool is available in H.323 to automate softswitch route provisioning. At softswitch/GW declaration, the associated route will be automatically created thanks to specific rules associated to the chosen mode: DestPort Mode: Destination IPBX is determined by the core softswitch. NeoXBC routes the message according to the Q931 image port on which it receives the message)

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 34

Figure 23 : Automatized Routing Rules Creation Menu Monitoring: At the least, NeoXBcs GUI can be used for monitoring. It is particularly interesting as it offers a graphical representation of the different data (calls and clients statistics, system), which is easier to interpret and analyze. The following screenshot shows the monitoring interface for H.323 ALG:

Figure 24 : Monitoring Interface The GUI offers two privilege levels: Supervision Mode: Allows the supervision of Neogate's configuration and status Administration Mode: Allows all actions: configuration, provisioning, supervision

1.17.3.

SNMP Agent

A supervision system enables generation of dysfunction alerts of the whole system (including redundant system if present). Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 35

NeoSNMP is a SNMP agent used with Neogate to monitor the services and the server status. It isn't an administration tool, so it isn't possible to modify the configuration of the Neogate. The main available features are the reading of parameters or status and the events notification (traps). All information about alerts is described in the MIB (Management Information Base). The MIB is described in the next section. The alarms thresholds are configurable by GUI or CLI.

Figure 25: Trap Level Configuration Menu In order to guarantee the best performance, the SNMP agent doesnt systematically interrogate the system during a GET request, but returns the latest information gotten during the synchronization with the system. For that, a polling frequency has to be defined. Supported Versions The agent implements the three versions of SNMP: v1, v2c and v3. With SNMP v3, the security is improved with authentication (MD5 and SHA) and privacy (DES). Neogates MIB The SNMP agent is protocol-independent. The MIB is used either for SIP, ???????

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 36

Figure 26: MIB Tree AgentX Protocol AgentX Protocol is implemented, so it can be used under a Master Agent (SubAgent mode). The following picture describes the internal architecture of the SNMP agent with AgentX protocol:

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 37

Figure 27 : SNMP with AgentX protocol This allows having a Master Agent that supervises both the NeoXBC system agent and hardware SNMP agent for example.

1.17.4.

Call Detail Records

Neogate is ideally placed at the entry of the network to collect and dispatch CDRs (call detail records) which identify not only the caller, callee, call duration, time of day, etc., but also QoS metrics for the call. The CDR format is as follows: Date: Date of creation of CDR Proxy Call ID: Call Id which is generated at Neogate's context level Protocol Call ID: Call Id of the protocol Clients Registered: Number of clients registered on SBC Start Call Time: Date of call start Call Duration: Duration of the call (in second) The following section will be filled by calling identifiers. Ex: userName, DisplayName, From field... Calling ID1 Calling ID2 Calling ID3 Calling address Calling equipment The following section will be filled by called identifiers. Ex: userName, DisplayName, From field... Called ID1 Called ID2 Called ID3 Called address Called equipment; Intra: Is it call between two clients registered on the same SBC? Call Status : End call reason Media Stream Routed : Are the media routed by MP ? Media Relay IP : Address of MediaProxy in charge of routing flows IsTranscoded: Are the RTP flows transcoded? (ex. G711 en G729) User Field : Free field for additional information Number of Channels: Number of media channels. 1 Audio flows = 2 channels (1 per direction). 5 flows Maximum per call Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 38

In addition to the following information, Neogate integrates QoS metrics information in CDR. The following information is available: SSRC[x] Packets[x] Lost packets[x] Payload type[x] Jitter[x] Jitter Min[x] Jitter Max[x] Bandwidth[x] Bandwidth Min[x] Bandwidth Max[x] RTPD[x] - Round Trip Packet Delay RTPD Min[x] RTPD Max[x] For information x = 0 : Audio caller->callee, 1 : Audio Callee->Caller, 2 : Video caller->callee, 3: Video Callee->Caller,4 : 2nd Video flow caller->callee, 5: 2nd Video flow Callee->Caller,6 : data caller->callee, 7: data Callee->Caller, 8 : control caller->callee, 9: control Callee->Caller Optionally, NeoQoS (NeoXBC QoS probe) adds new parameters in CDR: R-Mark min R-Mark max R-Mark average The R-Mark, based on UITT E-Model, gives a good estimation of the quality of a call. For more details, please refer to Section 7.5.5: QoS Probe Logs and Statistics

1.17.4.1. Traces / Log

The NeoXBC provides a trace function, which records the Neogate operating conditions. This function keeps traces of actions and events by writing traces in a file. This trace file may be used afterwards to analyze problems, which could occur. This file is stored on the Neogate. Neogate offers several trace levels. Each level provides progressively more information than the previous one. Selective Logs The aim of the selective logs function is to have a powerful and useful tool for the support and operation teams. The principle is to have enhanced tracer offering logs with detailed information coupled with a powerful system of filters that allows retrieving specific pieces of information in the whole information. This functionality is only available in H.323.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 39

1.17.4.2. Statistics
The principal available statistics include: Date Number of active calls Number of active registrations Total of registration/acceptance/rejection attempts Total of calls/acceptance/rejection by the ALG/rejection by the softswitch attempts Rate of use of ALG/system CPU Rate of use of ALG/system memory Number of received messages per message type

1.18.

Backup: Restore and Upgrade Management

Neogate offers several tools to ensure safe operation manipulations like upgrade or configuration modifications. Backup-Restore Tool This tool enables the operator to perform a full backup of the machine (installed softwarepackages and configuration) and to restore for a roll-back in case of problems during upgrade or after an error during configuration modification. This tool is available on CLI (commands: neoXBC-admin >backup or >restore) and on the GUII:

Figure 28: GUI interface for Backup-Restore Revision Tool This tool enables management of a revision system. A revision is a customized set of software-packages that do not correspond to a release. For any kind of reasons (patch, customer specific development) a finite number of software packages have to be upgraded. It is possible to create a revision that contains all of these software package. The revision tool enables management of these different revisions from the CLI, offering: A history command (to show the entire history of the different applied revisions) A roll-back command that allows a return to a previous version of configuration, revision per revision.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 40

8. Performance and Capacities

Maximum 4000 calls are supported on Neogate software in ALU environment On IBM Maolin server; max 1000 sim calls are supported.

1.19.

Reliability

Using the same software than the carrier grade NeoXBC, Neogate inherits carrier grade reliability. As a key component of any VoIP architecture, NeoGate is an enterprise-class solution that provides 99,999% system availability. The system is built on a hardened Linux OS and runs on Intel servers from IBM and HP,

1.20.

Packaging in ALU environment

Neogate is a software based SBC that runs on a hardened Linux Red Hat distribution ( NetOS). The software can be hosted on a number of certified platforms including : o IBM Maolin 3250 M2: same platform type than for OXE Call Server. Can be sourced from ALU. HP Proliant DL360 G5 (4000 simultaneous calls): must be sourced directly from HP

When more than 2 Ethernet access are required, it will be necessary to add additional Ethernet Ports on the server. Additional Ethernet board must be sourced directly from IBM or HP.

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 41

9. Features matrix by use case

SIP Remote users B B O O O B O O N/A B B B N/A B B B B B B B B B B B N/A B B B O O O B O Hosted OXE (UAIP) B B B+O B+O B+O B B+O B+O N/A B B N/A B N/A N/A N/A B B B B B B B N/A N/A B N/A B N/A N/A N/A N/A N/A

Routing (Call) Interface Management (<=2) Multi-Interface (>2) Multi-Ethernet (WAN, LAN) (>2) requires additionnal Ethernet board Multi-VLAN (Aggregation) (>2) VLAN management (<= 2) Redundancy (2 servers) Redundancy (Ethernet) Redundancy (Media): load balancing on 2 SBCs OXE Spatial Redundancy (with one SBC) DMZ compliant (Data FW companion) SIP proxy (for remote endpoints, inter) UA ALG Authentication (digest) Authentication redirection to enterprise Proxy or SP (digest) Authentication redirection (RADIUS, LDAP) Dynamic Firewalling Stateful inspection Integrity check Protection against DOS attacks Protection against vulnerabilities NAT/NAPT Traversal Topology hiding (NAT) Hosted NAT traversal ICE/STUN/TURN Optimized media routing (direct RTP) SIP Mediation QoS tagging Codec list negociation CAC calls CAC bandwidth CDR generation (Maintenance) QOS Probe + CDR generation

Neogate feature Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y Y Y Y Y Y Y Y

SIP Base/Option Trunking B B B B O O O O B O O N/A B B B O B B B B B B B B B B B N/A B B B O O O B O O O B O O N/A B B B N/A B B B B B B B B B B N/A N/A B B B O O O B O

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 42

TLS/SRTP Video Transcoding DTMF info/4733 Transcoding (CODEC) SIP/H323 gateway H323 ALG CLI GUI SNMP SDK Security Certificats and Keys Management

Neogate feature N Y Y Y N Y Y Y Y Y N

SIP Base/Option Trunking N/A N/A O O B B N/A N/A N/A N/A N/A N/A B B B N/A N/A B B B N/A N/A

SIP Remote users N/A O N/A N/A N/A N/A B B B N/A N/A

Hosted OXE (UAIP) N/A N/A N/A N/A N/A N/A B B N/A N/A N/A

The above template gives the feature list of Neogate and applicability in ALU environment. - column Neogate tells if feature is available on the generic 5.1 product - column base/option: tells if the feature is in the basic licence or provided in the option licence.(see licensing model) : B or O1. N/A means feature not available in ALU environment - Column SIP trunking, tells if the feature can be used in ALU SIP trunking environment - Column SIP remote user, tells if the feature can be used in ALU SIP remote user environment - Column Neogate for hosted OXE tells if feature can be used with UA/IP protocol (for SIP endpoints in Hosted OXE environment).

10. 1.21.

Licensing model Licenses

Basic Pack with 30 SIP Calls One additional SIP Call One additional UA/IP Call Advanced option per call Software license R5.1# R5.1 CD-ROMs (2 CD-ROMs) Redundancy of servers # 3BA09185JA 3BA09186JA 3BA09187JA 3BA09188JA 3BA09189JA 3BH11762AA 3Baxxxxx CC40 CC40 CC40 CC40 CC40 CC40

* NEOGATE SBC * NEOGATE SBC * NEOGATE SBC * NEOGATE SBC * NEOGATE SBC * NEOGATE SBC * NEOGATE SBC

# license with zero value Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 43

1.22.

Licensing model

For SIP: Price is depending on the number of simultaneous N SIP calls that will transit through the Neogate ( a sim call is 2 sessions transit)

Required licenses: NEOGATE SBC Basic Pack with 30 SIP Calls *1 unit If the number of SIP calls is more than 30: NEOGATE SBC One additional SIP Call* (N-30) units If optional features are required on SIP(see feature list above) NEOGATE SBC Advanced option per call * N units

For UA/IP Price is depending on the number M of simultaneous UA/IP calls that will transit through the Neogate ( a sim call is 2 sessions) Required licenses: NEOGATE SBC Basic Pack with 30 SIP Calls *1 unit NEOGATE SBC One additional UA/IP Call* M units NEOGATE SBC Advanced option per call * M units

For hybrid UA and SIP NEOGATE SBC Basic Pack with 30 SIP Calls *1 unit If the number of calls is more than 30: NEOGATE SBC One additional SIP Call* (N-30) units NEOGATE SBC One additional UA/IP Call* M units NEOGATE SBC Advanced option per call * N+M units

11.

Glossary

IMS: IP Multimedia Subsystem NGN: Next generation Network SLA: Service Level Agreement Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008 Page 44

SBC: Session Border Controller TDM: Time Division Multiplex BE: Border Element NAT: Network Address Translation PAT: Port Address Translation End of document

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 45

12.

Annex A

Table 1 : SIP Standards

RFC / DRAFT RFC 3261 RFC 4566 RFC 2327(deprecated) RFC 3550 RFC 1889 (deprecated) RFC 2046 RFC 2069 RFC 2112 RFC 2865 RFC 2138 (deprecated) RFC 2617 RFC 2833 RFC 2976 RFC 3262 RFC 3264 RFC 3265 RFC 3311 RFC 3312 RFC 3323 Reference SIP : Session Initiation Protocol SDP : Session Description Protocol Comments Compliant
TCP not supported

Compliant

RTP : A Transport Protocol for Real Time Compliant Applications Multipurpose Internet Mail Extensions (MIME) Compliant Part Two : Media Types An extension to HTTP : Digest Access Compliant Authentication Multipart MIME Compliant

Remote Authentication Dial In User Service Compliant (RADIUS) HTTP Authentication: Basic & Digest Access Compliant Authentication RTP Payload for DTMF Digits, Telephony Compliant Tones and Telephony Signals SIP INFO Method Reliability of Provisional Responses in SIP An Offer/Answer Method with the SDP Compliant Compliant Compliant

Session Initiation Protocol (SIP) Specific Compliant Event Notification The Session Initiation Protocol UPDATE Compliant Method Integration of Resource Management and SIP A Privacy Mechanism for the SIP Compliant Partially Compliant
Private header not full supported

RFC 3324

Short Term Requirements for Network Asserted Compliant Identity Page 46

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

RFC / DRAFT RFC 3325 RFC 3326 RFC 3327 RFC 3329 RFC 3361 RFC 3372 RFC 3428 RFC 3455 RFC 3515

Reference

Comments

Private Extension to the SIP for Asserted Partially Compliant Identity with Trusted Networks Preferred Identity The Reason Header Field for the SIP Compliant

SIP Extension Header field for registering non Partially Compliant adjacent contacts Security Mechanism Agreement DHCP-for-IPv4 Option for SIP Servers Partially Compliant Compliant

SIP for telephones (SIP-T) : context and Compliant architectures SIP Extension for Instant Messaging (SIMPLE) Compliant Private Header Extensions for 3GPP The SIP REFER Method Compliant Compliant

RFC 3578

Mapping of Integrated Services Digital Compliant Network (ISDN) User Part (ISUP) Overlap Signalling to the Session Initiation Protocol (SIP) An Extension to the Session Initiation Protocol Compliant (SIP) for Symmetric Response Routing SIP Extension Header Field for Service Route Compliant Discovery during registration SIP Event Package for Registrations Indicating User Agent Capabilities in SIP Caller Preferences for SIP Compliant Compliant Compliant

RFC 3581 RFC 3608 RFC 3680 RFC 3840 RFC 3841 RFC 3842 RFC 3856

A Message Summary and Message Waiting Compliant Indication Event Package A Presence Event Package for the Session Compliant Initiation Protocol (SIP) A Watcher Package Information Event Template- Partially Compliant Dont parse XML bodies Compliant Compliant

RFC 3857 RFC 3891 RFC 3892 RFC 3903 RFC 3959

'Replaces' Header Referred-By Mechanism

Session Initiation Protocol (SIP) Extension for Compliant Event State Publication Early Session Disposition Type Compliant Page 47

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

RFC / DRAFT RFC 3960 RFC 4028

Reference

Comments

Early Media and Ringing Tone Generation in Compliant the Session Initiation Protocol (SIP) Session Timers in the Session Initiation Partially Compliant Protocol (SIP) An Invite-Initiated Dialog Event Package for Partially Compliant SIP Dont parse XML bodies Compliant Compliant Compliant Compliant

RFC 4235 Draft-ietf-sipping-cc-transfert-05 Draft-ietf-sipping-dialog-package-06

Draft-ietf-sipping-cc-service-examples-09 ITU Q.1912.5 for SIP-I

End of document

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 48

www.alcatel-lucent.com

Product Description OmniPCX Enterprise R9 - Neogate SBC 8AL020033199TCASA ed 1 October , 2008

Page 49