AudioCodes SBC with Neustar SHAKEN Service Configuration Note
File info: application/pdf · 40 pages · 1.56MB
AudioCodes SBC with Neustar SHAKEN Service Configuration Note
This document provides the recommended guidelines for setting up the AudioCodes SBC for interworking with Neustar platform that provides STIR/SHAKEN certificate management, authentication and verification services.
, #:, LTRT-39277
Connecting AudioCodes’ SBC to Neustar STIR/SHAKEN Services
User's Manual. If you have any questions regarding required configuration, please contact your AudioCodes sales representative. 1.1 STIR/SHAKEN Overview STIR/SHAKEN is defined by Communications Commissionthe Federal…
SBC Interoperability List
Extracted Text
Configuration Note
AudioCodes Professional Services � Interoperability Lab
Connecting AudioCodes' SBC to Neustar� STIR/SHAKEN Services
Version 7.2
Configuration Note
Contents
Table of Contents
1 Introduction .........................................................................................................7
1.1 STIR/SHAKEN Overview........................................................................................7
1.1.1 How does STIR/SHAKEN work? ...............................................................................7
1.2 About AudioCodes SBC Product Series .................................................................8
2 Interoperability Topology ...................................................................................9
3 Configuring AudioCodes SBC .........................................................................11
3.1 IP Network Interfaces Configuration .....................................................................11
3.1.1 Configure VLANs .....................................................................................................12 3.1.2 Configure Network Interfaces ..................................................................................12
3.2 Configure Media Realms ......................................................................................13 3.3 Configure SIP Signaling Interfaces .......................................................................14 3.4 Configure Proxy Sets and Proxy Address.............................................................15
3.4.1 Configure Proxy Sets...............................................................................................15 3.4.2 Configure Proxy Addresses .....................................................................................16
3.5 Configure IP Profiles.............................................................................................18 3.6 Configure IP Groups.............................................................................................19 3.7 Configure IP-to-IP Call Routing Rules ..................................................................21
3.7.1 Configure IP-to-IP Call Routing Rules for Originating SBC.....................................22 3.7.2 Configure IP-to-IP Call Routing Rules for Terminating SBC ...................................23
3.8 Configure Message Manipulation Rules ...............................................................24
3.8.1 Configure Message Manipulation Rules for Originating SBC..................................24 3.8.2 Configure Message Manipulation Rules for Terminating SBC ................................30
Version 7.2
3
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
This page is intentionally left blank.
Configuration Note
4
Document #: LTRT-39277
Configuration Note
Notices
Notice
Information contained in this document is believed to be accurate and reliable at the time of printing. However, due to ongoing product improvements and revisions, AudioCodes cannot guarantee accuracy of printed material after the Date Published nor can it accept responsibility for errors or omissions. Updates to this document can be downloaded from https://www.audiocodes.com/library/technical-documents.
This document is subject to change without notice.
Date Published: November-11-2020
WEEE EU Directive
Pursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed of with unsorted waste. Please contact your local recycling authority for disposal of this product.
Customer Support
Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner. For more information on how to buy technical support for AudioCodes products and for contact information, please visit our website at https://www.audiocodes.com/services-support/maintenance-and-support.
Stay in the Loop with AudioCodes
Abbreviations and Terminology
Each abbreviation, unless widely used, is spelled out in full when first used.
Version 7.2
5
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
Related Documentation
Document Name
Mediant 500 E-SBC User's Manual Mediant 500L E-SBC User's Manual Mediant 800B E-SBC User's Manual Mediant 2600 E-SBC User's Manual Mediant 4000 SBC User's Manual Mediant 9000 SBC User's Manual Mediant Software SBC User's Manual Gateway and SBC CLI Reference Guide SIP Message Manipulation Reference Guide AudioCodes Configuration Notes
Document Revision Record
LTRT 39277
Description Initial document release for Version 7.2
Documentation Feedback
AudioCodes continually strives to produce high quality documentation. If you have any comments (suggestions or errors) regarding this document, please fill out the Documentation Feedback form on our website at https://online.audiocodes.com/documentation-feedback.
Configuration Note
6
Document #: LTRT-39277
Configuration Note
1. Introduction
1 Introduction
This document provides the recommended guidelines for setting up the AudioCodes Session Border Controller (hereafter, referred to as SBC) for interworking with Neustar platform that provides STIR/SHAKEN certificate management, authentication and verification services.
Note: The scope of this document does not fully cover all aspects for deploying the AudioCodes SBC in your environment. For detailed configuration, refer to the device's User's Manual. If you have any questions regarding required configuration, please contact your AudioCodes sales representative.
1.1
STIR/SHAKEN Overview
STIR/SHAKEN is defined by the Federal Communications Commission (FCC) as a framework of interconnected standards. Based on common public key cryptography techniques, it essentially provides the basis to ensure the authenticity of a phone call. The framework is thought of as an important first step to combating illegal and unwanted robocalls.
The process underlying STIR/SHAKEN has been in use on the Internet for years, providing token authentication for secure websites, minimizing the spoofing of Internet addresses by bad actors. Recent government, service provider, and enterprise security experts have deemed authentication and validation as a necessary process for reducing the impact of bad actors on the telephone network.
STIR, short for Secure Telephony Identity Revisited, is the protocol for providing calling party info within a digital signature. This focuses on the end devices and allows for the digital signature to be produced and verified in numerous locations.
SHAKEN stands for Secure Handling of Asserted information using Tokens and focuses on how STIR can be implemented within carrier's networks. Where STIR emphasizes the end devices, SHAKEN addresses deploy ability.
1.1.1
How does STIR/SHAKEN work?
Figure 1-1: STIR/SHAKEN Workflow
Version 7.2
7
AudioCodes Mediant SBC
1.2
AudioCodes SBC with Neustar SHAKEN Service
1. A SIP INVITE is received by the originating telephone service provider.
2. The originating telephone service provider checks the call source and calling number to determine how to attest for the validity of the calling number:
� Full Attestation (A): The service provider authenticates the calling party AND confirms they are authorized to use this number. An example of this case is a subscriber registered with the originating telephone service provider's softswitch.
� Partial Attestation (B): The service provider verifies the call origination however cannot confirm that the call source is authorized to use the calling number. An example of this use case is a telephone number behind an enterprise PBX.
� Gateway Attestation (C): The service provider authenticates the call's origin however cannot verify the source. An example of this case would be a call received from an international gateway.
3. The originating telephone service provider uses the authentication service to create a SIP Identity header, that contains information on the calling number, called number, date and time, attestation level, and call origination, along with the certificate.
4. The SIP INVITE with the SIP Identity header is sent to the terminating telephone service provider.
5. The SIP INVITE with Identity header is passed to the verification service.
6. The verification service obtains the digital certificate of the originating telephone service provider from the public certificate repository.
7. The verification service returns the results to the terminating service provider's softswitch or SBC.
About AudioCodes SBC Product Series
AudioCodes' family of SBC devices enables reliable connectivity and security between the Enterprise's and the service provider's VoIP networks.
The SBC provides perimeter defense as a way of protecting Enterprises from malicious VoIP attacks; mediation for allowing the connection of any PBX and/or IP-PBX to any service provider; and Service Assurance for service quality and manageability. Designed as a cost-effective appliance, the SBC is based on field-proven VoIP and network services with a native host processor, allowing the creation of purpose-built multiservice appliances, providing smooth connectivity to cloud services, with integrated quality of service, SLA monitoring, security and manageability. The native implementation of SBC provides a host of additional capabilities that are not possible with standalone SBC appliances such as VoIP mediation, PSTN access survivability, and third-party value-added services applications. This enables Enterprises to utilize the advantages of converged networks and eliminate the need for standalone appliances.
AudioCodes SBC is available as an integrated solution running on top of its field-proven Mediant Media Gateway and Multi-Service Business Router platforms, or as a software-only solution for deployment with third-party hardware.
Configuration Note
8
Document #: LTRT-39277
Configuration Note
2. Interoperability Topology
2 Interoperability Topology
The interoperability topology contains deployment of AudioCodes SBC at the Originating Service Provider (for authentication) and at the Terminating Service Provider (for verification).
Neustar's SIP-based solution can work in two modes, SIP Proxy or Redirect Server. SIP Proxy acts as a stateless proxy and forwards all the requests and responses as expected by a stateless SIP proxy. In Redirect Server mode, SIP Proxy responds to incoming INVITE message with any 3XX response for success case and other error responses for error scenarios.
Note: The interoperability tests were done with Neustar SHAKEN services, configured in Redirect Server Mode. Therefore, AudioCodes highly recommend implementing
Neustar Redirect Server mode with AudioCodes SBC.
The figures below illustrate this interoperability topology:
Figure 2-1: Originating Service Provider Authenticates via SBC (Neustar in Redirect Server Mode)
Figure 2-2: Terminating Service Provider Verifies via SBC (Neustar in Redirect Server Mode)
Version 7.2
9
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
This page is intentionally left blank.
Configuration Note
10
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
3 Configuring AudioCodes SBC
This chapter provides step-by-step procedures on how to configure AudioCodes SBC for interworking with Neustar platform for the SHAKEN Services. These configuration procedures are based on the interoperability test topology described in Section 2 on page 9, and includes the following main areas: For SBC, located at Originating Service Provider:
� SBC LAN interface � IP-PBX, originating calls � SBC WAN interface � Neustar Authentication Services and SIP Trunking For SBC, located at Terminating Service Provider:
� SBC LAN interface � IP-PBX, terminating calls � SBC WAN interface � Neustar Verification Services and SIP Trunking
Note: This document describes partial configuration. Your implementation can be different. So, for detailed configuration of other entities in the deployment such as the
SIP Trunk Provider and the local IP-PBX, refer to the device's User's Manual.
3.1
IP Network Interfaces Configuration
This section describes how to configure the SBC's IP network interfaces. There are several ways to deploy the SBC; however, this interoperability test topology employs the following deployment method: SBC interfaces with the following IP entities:
� IP-PBX, located on the LAN
� Neustar platform, located on the WAN SBC connects to the WAN through a DMZ network
Physical connection: The type of physical connection to the LAN depends on the method used to connect to the Enterprise's network. In the interoperability test topology, SBC connects to the LAN and DMZ using dedicated LAN ports (i.e., two ports and two network cables are used).
SBC also uses two logical network interfaces:
� LAN (VLAN ID 1)
� DMZ (VLAN ID 2)
Figure 3-1: Network Interfaces in Interoperability Test Topology
LAN Port
LAN Port
Management Station (OAMP)
Vlan ID 1 LAN
Vlan ID 2 DMZ
Firewall
WAN
STIR/SHAKEN Service
SIP Trunk
IP-PBX
Version 7.2
11
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3.1.1
Configure VLANs
This section describes how to define VLANs for each of the following interfaces: LAN (assigned the name "LAN_IF") WAN (assigned the name "WAN_IF")
To configure the VLANs:
1. Open the Ethernet Device table (Setup menu > IP Network tab > Core Entities folder > Ethernet Devices).
2. There will be one existing row for VLAN ID 1 and underlying interface GROUP_1. 3. Add another VLAN ID 2 for the WAN side.
Figure 3-2: Configured VLAN IDs in Ethernet Device
3.1.2
Configure Network Interfaces
This section describes how to configure the IP network interfaces for each of the following interfaces: LAN (assigned the name "LAN_IF") WAN (assigned the name "WAN_IF")
To configure the IP network interfaces:
1. Open the IP Interfaces table (Setup menu > IP Network tab > Core Entities folder > IP Interfaces).
2. Configure the IP interfaces as follows (your network parameters might be different):
Table 3-1: Configuration Example of the Network Interface Table
Index 0
Application Types
OAMP+ Media + Control
1
Media + Control
Interfac e Mode
IP Address
Prefix Length
Gateway
DNS
I/F Name
Ethernet Device
IPv4 Manual
10.15.77.77
16
IPv4 Manual
195.189.192.157 (DMZ IP address of
SBC)
25
10.15.0.1
10.15.27.1 LAN_IF
195.189.192.129 (router's IP address)
According to
your Internet provider's
WAN_IF
instructions
vlan 1 vlan 2
Note: Be aware that the SBC's public IP addresses must be provisioned at Neustar side in order to establish communications`.
Configuration Note
12
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
The configured IP network interfaces are shown below: Figure 3-3: Configured Network Interfaces in IP Interfaces Table
3.2
Configure Media Realms
This section describes how to configure Media Realms. The simplest configuration is to create two Media Realms - one for internal (LAN) traffic and one for external (WAN) traffic.
To configure Media Realms:
1. Open the Media Realms table (Setup menu > Signaling & Media tab > Core Entities folder > Media Realms).
2. Configure Media Realms as follows (you can use the default Media Realm (Index 0), but modify it):
Table 3-2: Configuration Example Media Realms in Media Realms Table
Index 0 1
Name
MRLan (arbitrary
name)
MRWan (arbitrary
name)
Topology IPv4 Interface Port Range
Location
Name
Start
Number of Media Session Legs
LAN_IF
6000
100 (media sessions assigned with port range)
Up
WAN_IF
7000
100 (media sessions assigned with port range)
The configured Media Realms are shown in the figure below: Figure 3-4: Configured Media Realms in Media Realm Table
Version 7.2
13
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3.3
Configure SIP Signaling Interfaces
This section describes how to configure SIP Interfaces. For the interoperability test topology, an internal and external SIP interface must be configured for the SBC.
To configure SIP Interfaces:
1. Open the SIP Interfaces table (Setup menu > Signaling & Media tab > Core Entities folder > SIP Interfaces).
2. Configure SIP Interfaces. You can use the default SIP Interface (Index 0) but modify it as shown in the table below. The table below shows an example of the configuration. You can change some parameters according to your requirements.
Table 3-3: Configuration Example of SIP Signaling Interfaces
Index
Name
Network Application
Interface
Type
UDP Port
0
SIPInterface_LAN (arbitrary name)
LAN_IF
1
SIPInterface_WAN (arbitrary name)
WAN_IF
SBC SBC
5060 (according to IP-PBX requirement)
5060 (according to SIP Trunk requirement)
TCP Port
0
0
TLS Port
Media Realm
0
MRLan
0
MRWan
The configured SIP Interfaces are shown in the figure below: Figure 3-5: Configured SIP Interfaces in SIP Interface Table
Configuration Note
14
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
3.4
Configure Proxy Sets and Proxy Address
This section describes how to configure Proxy Sets and Proxy addresses. The Proxy Set defines the destination address (IP address or FQDN) of the IP entity server. Proxy Sets can also be used to configure load balancing between multiple servers. For the interoperability test topology, following Proxy Sets need to be configured for the following IP entities: IP-PBX SIP Trunk
Neustar platforms
The Proxy Sets will be later applying to the VoIP network by assigning them to IP Groups.
3.4.1
Configure Proxy Sets
This section describes how to configure proxy sets.
To configure Proxy Sets for SBC, located at Originating Service Provider:
1. Open the Proxy Sets table (Setup menu > Signaling & Media tab > Core Entities folder >Proxy Sets).
2. Configure Proxy Sets as shown in the table below: Table 3-4: Configuration Example Proxy Sets in Originating SBC
Index 1 2 3
Name
IP-PBX (arbitrary name)
SIP Trunk (arbitrary name)
Neustar-AS (arbitrary name)
SBC IPv4 SIP Interface SIPInterface_LAN SIPInterface_LAN SIPInterface_WAN
Proxy KeepAlive
Using Options
Using Options
Using Options
Proxy Hot Swap -
-
Enable
The configured Proxy Sets at Originating SBC are shown in the figure below: Figure 3-6: Configured Proxy Sets at Originating SBC
Version 7.2
15
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
To configure Proxy Sets for SBC, located at Terminating Service Provider:
1. Open the Proxy Sets table (Setup menu > Signaling & Media tab > Core Entities folder >Proxy Sets).
2. Configure Proxy Sets as shown in the table below:
Table 3-5: Configuration Example Proxy Sets in Terminating SBC
Index 1 2 3
Name
IP-PBX (arbitrary name)
SIP Trunk (arbitrary name)
Neustar-VS (arbitrary name)
SBC IPv4 SIP Interface SIPInterface_LAN SIPInterface_WAN SIPInterface_WAN
Proxy KeepAlive
Using Options
Using Options
Using Options
Proxy Hot Swap -
-
Enable
The configured Proxy Sets at Terminating SBC are shown in the figure below: Figure 3-7: Configured Proxy Sets at Terminating SBC
3.4.2
Configure Proxy Addresses
This section describes how to configure proxy addresses.
To configure a Proxy Address for IP-PBX:
1. Open the Proxy Sets table (Setup menu > Signaling & Media tab > Core Entities folder > Proxy Sets) and then click the Proxy Set IP-PBX, and then click the Proxy Address link located below the table; the Proxy Address table opens.
2. Click +New; 3. Configure the IP address of the IP-PBX Proxy Set according to the parameters
described in the table below:
Table 3-6: Configuration IP-PBX Proxy Address
Index
Proxy Address
0
{IP-PBX IP address or FQDN}:5060
4. Click Apply and then save your settings to flash memory.
Transport Type
UDP (according to IP-PBX requirement)
Configuration Note
16
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
To configure a Proxy Address for SIP Trunk:
1. Open the Proxy Sets table (Setup menu > Signaling & Media tab > Core Entities folder > Proxy Sets) and then click the Proxy Set SIP Trunk, and then click the Proxy Address link located below the table; the Proxy Address table opens.
2. Click +New;
3. Configure the IP address of the SIP Trunk Proxy Set according to the parameters described in the table below:
Table 3-7: Configuration SIP Trunk Proxy Address
Index
Proxy Address
0
{SIP Trunk IP address or FQDN}:5060
4. Click Apply and then save your settings to flash memory.
Transport Type
UDP (according to SIP Trunk
requirement)
To configure a Proxy Address for Neustar AS at Originating SBC:
1. Open the Proxy Sets table (Setup menu > Signaling & Media tab > Core Entities folder > Proxy Sets) and then click the Proxy Set Neustar-AS, and then click the Proxy Address link located below the table; the Proxy Address table opens.
2. Click +New;
3. Configure the IP address of the Neustar AS Proxy Set according to the parameters described in the table below:
Table 3-8: Configuration Neustar AS Proxy Address
Index
Proxy Address
0
sipas-uat.ccid.neustar.biz:5060
4. Click Apply and then save your settings to flash memory.
Transport Type UDP
To configure a Proxy Address for Neustar VS at Terminating SBC:
1. Open the Proxy Sets table (Setup menu > Signaling & Media tab > Core Entities folder > Proxy Sets) and then click the Proxy Set Neustar-VS, and then click the Proxy Address link located below the table; the Proxy Address table opens.
2. Click +New;
3. Configure the IP address of the Neustar VS Proxy Set according to the parameters described in the table below:
Table 3-8: Configuration Neustar VS Proxy Address
Index
Proxy Address
0
sipvs-uat.ccid.neustar.biz:5060
4. Click Apply and then save your settings to flash memory.
Transport Type UDP
Version 7.2
17
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3.5
Configure IP Profiles
This section describes how to configure IP Profiles. The IP Profile defines a set of call capabilities relating to signaling (e.g., SIP message terminations such as 3xx) and media (e.g., coder and transcoding method). In this interoperability test topology, IP Profiles need to be configured for the following IP entities: For SBC, located at Originating Service Provider:
� IP-PBX � SIP Trunk For SBC, located at Terminating Service Provider:
� SIP Trunk
Note: This section shows only partial configuration. Your implementation can be different and additional parameters maybe needed to be configured for each entity.
For detailed configuration, refer to the device's User's Manual.
To configure IP Profile for the IP-PBX in the Originating SBC:
1. Open the IP Profiles table (Setup menu > Signaling & Media tab > Coders & Profiles folder > IP Profiles).
2. Click New, and then configure the parameters as follows:
Parameter
Value
General Index Name SBC Forward and Transfer Remote 3xx Mode
3. Click Apply.
1 IP-PBX
Handle Locally (required, for terminating SIP 3xx responses from Neustar AS platform)
To configure an IP Profile for the SIP Trunk in the Originating SBC:
1. Click New, and then configure the parameters as follows:
Parameter
Value
General Index Name SBC Signaling P-Asserted-Identity Header Mode 2. Click Apply.
2 SIP Trunk
Add
Configuration Note
18
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
To configure an IP Profile for the SIP Trunk in the Terminating SBC:
1. Click New, and then configure the parameters as follows:
Parameter
Value
General Index Name SBC Forward and Transfer Remote 3xx Mode
2. Click Apply.
1 SIP Trunk
Handle Locally (required, for terminating SIP 3xx responses from Neustar VS platform)
3.6
Configure IP Groups
This section describes how to configure IP Groups. The IP Group represents an IP entity on the network with which the SBC communicates. This can be a server (e.g., IP-PBX or SIP Trunk) or it can be a group of users (e.g., LAN IP phones). For servers, the IP Group is typically used to define the server's IP address by associating it with a Proxy Set. Once IP Groups are configured, they are used to configure IP-to-IP routing rules for denoting source and destination of the call.
In this interoperability test topology, IP Groups must be configured for the following IP entities:
IP-PBX
SIP Trunk
Neustar platforms
To configure IP Groups in the Originating SBC:
1. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder > IP Groups).
2. Add an IP Group for the IP-PBX:
Parameter
Value
Index Name Type Proxy Set IP Profile Media Realm SIP Group Name
1 IP-PBX Server IP-PBX IP-PBX MRLan (according to ITSP requirement)
Version 7.2
19
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3. Configure an IP Group for the SIP Trunk:
Parameter
Value
Index Name Topology Location Type Proxy Set IP Profile Media Realm SIP Group Name
2 SIP Trunk Up Server SIP Trunk SIP Trunk MRWan (according to ITSP requirement)
4. Configure an IP Group for the Neustar AS platform:
Parameter
Index Name Topology Location Type Proxy Set Media Realm SIP Group Name Always Use Src Address
Value
3 Neustar Up Server Neustar-AS MRWan (according to ITSP requirement) Yes
To configure IP Groups in the Terminating SBC:
1. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder > IP Groups).
2. Add an IP Group for the IP-PBX:
Parameter
Value
Index Name Type Proxy Set Media Realm SIP Group Name
1 IP-PBX Server IP-PBX MRLan (according to ITSP requirement)
Configuration Note
20
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
3. Configure an IP Group for the SIP Trunk:
Parameter
Value
Index Name Topology Location Type Proxy Set IP Profile Media Realm SIP Group Name
2 SIP Trunk Up Server SIP Trunk SIP Trunk MRWan (according to ITSP requirement)
4. Configure an IP Group for the Neustar VS platform:
Parameter
Value
Index Name Topology Location Type Proxy Set Media Realm SIP Group Name Always Use Src Address
3 Neustar-VS Up Server Neustar-VS MRWan (according to ITSP requirement) Yes
3.7
Configure IP-to-IP Call Routing Rules
This section describes how to configure IP-to-IP call routing rules. These rules define the routes for forwarding SIP messages (e.g., INVITE) received from one IP entity to another. The SBC selects the rule whose configured input characteristics (e.g., IP Group) match those of the incoming SIP message. If the input characteristics do not match the first rule in the table, they are compared to the second rule, and so on, until a matching rule is located. If no rule is matched, the message is rejected. The routing rules use the configured IP Groups (as configured in Section 3.6 on page 17,) to denote the source and destination of the call. For the interoperability test topology, the following IP-to-IP routing rules need to be:
For SBC, located at Originating Service Provider:
� Terminate SIP OPTIONS messages on the SBC that are received from any entity
� All messages (before authentication) send to Neustar AS
� All messages based on 302 Response (after authentication) send to SIP Trunk
For SBC, located at Terminating Service Provider:
� Terminate SIP OPTIONS messages on the SBC that are received from any entity
� All messages with Identity Header (after authentication) send to Neustar VS for verification
� All messages based on 302 Response (after verification) send to IP-PBX
Version 7.2
21
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3.7.1
Configure IP-to-IP Call Routing Rules for Originating SBC
This section describes how to configure IP-to-IP call routing rules for the originating SBC.
To configure IP-to-IP routing rules for Originating SBC:
1. Open the IP-to-IP Routing table (Setup menu > Signaling & Media tab > SBC folder > Routing > IP-to-IP Routing).
2. Configure routing rules as shown in the table below: Table 3-1: Originating SBC IP-to-IP Call Routing Rules
Index 0 1 2
Name
Terminate OPTIONS
To SIP Trunk (arbitrary name)
To NeustarAS (arbitrary
name)
Source IP
Group
Request Type
Any OPTIONS
Any
Any
Call Trigger
3xx
Dest Type
Internal
Dest IP
Group
Internal Action
Reply (Response='200')
IP Group
SIP Trunk
IP Neustar Group -AS
Note: The routing configuration may change according to your specific deployment topology.
The configured routing rules are shown in the figure below: Figure 3-8: Example of the Configured IP-to-IP Routing Rules in the Originating SBC
Configuration Note
22
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
3.7.2
Configure IP-to-IP Call Routing Rules for Terminating SBC
This section describes how to configure IP-to-IP call routing rules for Terminating SBC.
To configure IP-to-IP routing rules for Terminating SBC:
1. Open the IP-to-IP Routing table (Setup menu > Signaling & Media tab > SBC folder > Routing > IP-to-IP Routing).
2. Configure routing rules as shown in the table below: Table 3-2: Terminating SBC IP-to-IP Call Routing Rules
Index
Name
Source IP
Group
Request Type
Call Trigger
Dest Type
Dest IP Group
Internal Action
0
Terminate OPTIONS
Any OPTIONS
Internal
Reply (Response='200')
To IP-PBX
1
(arbitrary Any
name)
3xx
IP Group
SIP Trunk
To
Neustar-
2
VS
Any
(arbitrary
name)
IP Group
NeustarVS
Note: The routing configuration may change according to your specific deployment topology.
The configured routing rules are shown in the figure below: Figure 3-9: Example of the Configured IP-to-IP Routing Rules in the Terminating SBC
Version 7.2
23
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3.8
Configure Message Manipulation Rules
This section describes how to configure SIP message manipulation rules. SIP message manipulation rules can include insertion, removal, and/or modification of SIP headers. Manipulation rules are grouped into Manipulation Sets, enabling you to apply multiple rules to the same SIP message (IP entity).
Once you have configured the SIP message manipulation rules, you need to assign them to the relevant IP Group (in the IP Group table) and determine whether they must be applied to inbound or outbound messages.
For the interoperability test topology, the following rules were configured for removing Verstat and Tagging Headers from the messages, sent to the IP-PBX. If this is not required, skip this section.
3.8.1
Configure Message Manipulation Rules for Originating SBC
This section describes how to configure Message Manipulation Rules for the Originating SBC.
To configure SIP message manipulation rule:
1. Open the Message Manipulations page (Setup menu > Signaling & Media tab > Message Manipulation folder > Message Manipulations).
2. Configure a new manipulation rule (Manipulation Set 5) for Neustar-AS. This rule applies to messages received from Neustar-AS IP Group. This will add SIP Contact Header (if it isn't existing) with the value from SIP To Header to the SIP 302 responses from Neustar AS. This rule needed because Neustar AS service can be configured to not send Contact Header in the SIP 302 response.
Parameter
Value
Index Name Manipulation Set ID Message Type Condition Action Subject Action Type Action Value
0 Add Contact to 302 from Neustar 5 Invite.Response.3xx Header.Contact !exists Header.Contact Add Header.To
Configuration Note
24
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
Figure 3-10: Configuring SIP Message Manipulation Rule 0 (for Neustar-AS)
Version 7.2
25
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3. Configure another manipulation rule (Manipulation Set 5) for Neustar-AS. This rule applies to messages received from Neustar-AS IP Group. This save the content of the
SIP Identity Header (if it exists) from the SIP 302 response for further usage.
Parameter
Value
Index Name Manipulation Set ID Message Type Condition Action Subject Action Type Action Value
1 Save-Identity-Header-from-3xx 5 Invite.Response.3xx Header.Identity exists Var.Session.Id Modify Header.Identity.Content
Figure 3-11: Configuring SIP Message Manipulation Rule 1 (for Neustar-AS)
Configuration Note
26
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
4. Configure another manipulation rule (Manipulation Set 4) for SIP Trunk. This rule is applied to any request messages sent to the SIP Trunk IP Group. This add SIP Identity Header to all messages sent to SIP Trunk, with the content, saved from the SIP 302 response.
Parameter
Value
Index Name Manipulation Set ID Message Type Condition Action Subject Action Type Action Value
2 Add-Identity-to-Invite 4 Invite.Request Var.Session.Id != '' Header.Identity Add Var.Session.Id
Figure 3-12: Configuring SIP Message Manipulation Rule 2 (for SIP Trunk)
The examples of the message manipulation rules are shown in the figure below: Figure 3-13: Example of Configured SIP Message Manipulation Rules for Originating SBC
Version 7.2
27
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service 5. Assign Manipulation Set ID 4 to the SIP trunk IP Group:
a. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder > IP Groups).
b. Select the row of the SIP trunk IP Group, and then click Edit. c. Set the 'Outbound Message Manipulation Set' field to 4. Figure 3-14: Assigning Manipulation Set to the SIP Trunk IP Group
d. Click Apply.
Configuration Note
28
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
6. Assign Manipulation Set ID 5 to the Neustar-AS IP Group:
a. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder > IP Groups).
b. Select the row of the Neustar-AS IP Group, and then click Edit. c. Set the 'Inbound Message Manipulation Set' field to 5.
Figure 3-15: Assigning Manipulation Set 5 to the Neustar-AS IP Group
d. Click Apply.
Version 7.2
29
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
3.8.2
Configure Message Manipulation Rules for Terminating SBC
This section describes how to configure message manipulation rules for the Terminating SBC.
To configure SIP message manipulation rule:
1. Open the Message Manipulations page (Setup menu > Signaling & Media tab > Message Manipulation folder > Message Manipulations).
2. Configure a new manipulation rule (Manipulation Set 5) for Neustar-VS. This rule applies to messages received from Neustar-VS IP Group. This will add SIP Contact Header (if it isn't existing) with the value from SIP To Header to the SIP 302 responses from Neustar VS. This rule needed because Neustar VS service can be configured to not send Contact Header in the SIP 302 response.
Parameter
Value
Index Name Manipulation Set ID Message Type Condition Action Subject Action Type Action Value
0 Add Contact to 302 from Neustar 5 Invite.Response.3xx Header.Contact !exists Header.Contact Add Header.To
Figure 3-16: Configuring SIP Message Manipulation Rule 0 (for Neustar-VS)
Configuration Note
30
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
3. Configure another manipulation rule (Manipulation Set 2) for SIP Trunk. This rule applies to messages received from the SIP Trunk IP Group. This removes the SIP P-
Asserted-Identity Header from Invite messages.
Parameter
Value
Index Name Manipulation Set ID Message Type Action Subject Action Type
1 Remove orig PAI from SIP Trunk 2 Invite.Request Header.P-Asserted-Identity Remove
Figure 3-17: Configuring SIP Message Manipulation Rule 1 (for SIP Trunk)
Version 7.2
31
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
4. Configure another manipulation rule (Manipulation Set 5) for Neustar. This rule is applied to any 3xx responses received from the Neustar-VS IP Group. This saves the content of the user part of the SIP P-Asserted-Identity Header received from NeustarVS (if it contains string `;verstat=TN-Validation-Passed') for further usage.
Parameter
Value
Index Name Manipulation Set ID Message Type Condition
Action Subject Action Type Action Value
2 Collect-PAI-with-verstat 5 Invite.Response.3xx Header.P-Asserted-Identity.URL.User regex (.*)(;verstat=TN-Validation-Passed) Var.Session.PAIwithVerstat Modify Header.P-Asserted-Identity
Figure 3-18: Configuring SIP Message Manipulation Rule 2 (for Neustar-VS)
Configuration Note
32
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
5. Configure another manipulation rule (Manipulation Set 2) for IP-PBX. This rule is applied to messages sent to the IP-PBX IP Group. This adds the SIP P-Asserted-Identity Header to all INVITE request messages sent to the IP-PBX, with the content, saved from the SIP 302 response.
Parameter
Value
Index Name Manipulation Set ID Message Type Action Subject Action Type Action Value
3 Add-PAI-to-Invite 2 Invite.Request Header.P-Asserted-Identity Add Var.Session.PAIwithVerstat
Figure 3-19: Configuring SIP Message Manipulation Rule 3 (for IP-PBX)
Version 7.2
33
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service
6. If it's required by the customer, configure another manipulation rule (Manipulation Set 2) for IP-PBX. This rule is applied to messages sent to the IP-PBX IP Group. This removes the SIP P-Attestation-Indicator Header (if it's exists), contains validation tag from any messages sent to the IP-PBX.
Parameter
Value
Index Name Manipulation Set ID Message Type Condition Action Subject Action Type
4 Remove Tagging Headers 2 Any.Request Header.P-Attestation-Indicator exists Header.P-Attestation-Indicator Remove
Figure 3-20: Configuring SIP Message Manipulation Rule 4 (for IP-PBX)
Configuration Note
34
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
7. If it's required by the customer, configure another manipulation rule (Manipulation Set 2) for IP-PBX. This rule is applied to messages sent to the IP-PBX IP Group. This removes the SIP P-Origination-ID Header (if it's exists), contains validation tag from any messages sent to the IP-PBX.
Parameter
Value
Index Name Manipulation Set ID Message Type Condition Action Subject Action Type
5 Remove Tagging Headers 2 Any.Request Header.P-Origination-ID exists Header.P-Origination-ID Remove
Figure 3-21: Configuring SIP Message Manipulation Rule 5 (for IP-PBX)
The examples of the message manipulation rules are shown in the figure below: Figure 3-22: Example of Configured SIP Message Manipulation Rules for Terminating SBC
Version 7.2
35
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service 8. Assign Manipulation Set ID 2 to the IP-PBX IP Group:
a. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder > IP Groups).
b. Select the row of the IP-PBX IP Group, and then click Edit. c. Set the 'Outbound Message Manipulation Set' field to 2.
Figure 3-23: Assigning Manipulation Set to the IP-PBX IP Group
d. Click Apply.
Configuration Note
36
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
9. Assign Manipulation Set ID 3 to the SIP Trunk IP Group:
a. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder > IP Groups).
b. Select the row of the SIP Trunk IP Group, and then click Edit. c. Set the 'Inbound Message Manipulation Set' field to 3.
Figure 3-24: Assigning Manipulation Set 3 to the SIP Trunk IP Group
d. Click Apply.
Version 7.2
37
AudioCodes Mediant SBC
AudioCodes SBC with Neustar SHAKEN Service 10. Assign Manipulation Set ID 5 to the Neustar-VS IP Group:
a. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder > IP Groups).
b. Select the row of the Neustar-VS IP Group, and then click Edit. c. Set the 'Inbound Message Manipulation Set' field to 5. Figure 3-25: Assigning Manipulation Set 5 to the Neustar-VS IP Group
d. Click Apply.
Configuration Note
38
Document #: LTRT-39277
Configuration Note
3. Configuring AudioCodes SBC
This page is intentionally left blank.
Version 7.2
39
AudioCodes Mediant SBC
International Headquarters 1 Hayarden Street, Airport City Lod 7019900, Israel Tel: +972-3-976-4000 Fax: +972-3-976-4040
AudioCodes Inc. 27 World's Fair Drive, Somerset, NJ 08873 Tel: +1-732-469-0880 Fax: +1-732-469-2298
Contact us: https://www.audiocodes.com/corporate/offices-worldwide Website: https://www.audiocodes.com/
�2020 AudioCodes Ltd. All rights reserved. AudioCodes, AC, HD VoIP, HD VoIP Sounds Better, IPmedia, Mediant, MediaPack, What's Inside Matters, OSN, SmartTAP, User Management Pack, VMAS, VoIPerfect, VoIPerfectHD, Your Gateway To VoIP, 3GX, VocaNom, AudioCodes One Voice, AudioCodes Meeting Insights, AudioCodes Room Experience and CloudBond are trademarks or registered trademarks of AudioCodes Limited. All other products or trademarks are property of their respective owners. Product specifications are subject to change without notice.
Document #: LTRT-39277