Installation, Operation and Maintenance Manual. AudioCodes One Voice Operations Center. OVOC. Installation, Operation and Maintenance.
Mediant 1000B Gateway and E-SBC User's Manual ... Mediant3000 (TP-8410 and TP-6310). Versions 7.0 and 6.6 ... Handset, Jabra LINK, Jabra.
Installation, Operation and Maintenance Manual AudioCodes One Voice Operations Center OVOC Installation, Operation and Maintenance Version 8.0 Notice OVOC | IOM Notice Information contained in this document is believed to be accurate and reliable at the time of printing. However, due to ongoing product improvements and revisions, AudioCodes cannot guarantee accuracy of printed material after the Date Published nor can it accept responsibility for errors or omissions. Updates to this document can be downloaded from https://www.audiocodes.com/library/technical-documents. This document is subject to change without notice. Date Published: March-25-2021 WEEE EU Directive Pursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed of with unsorted waste. Please contact your local recycling authority for disposal of this product. Customer Support Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner. For more information on how to buy technical support for AudioCodes products and for contact information, please visit our website at https://www.audiocodes.com/services-support/maintenance-and-support. Documentation Feedback AudioCodes continually strives to produce high quality documentation. If you have any comments (suggestions or errors) regarding this document, please fill out the Documentation Feedback form on our website at https://online.audiocodes.com/documentation-feedback. Stay in the Loop with AudioCodes Document Name OVOC Documents Migration from EMS and SEM Ver. 7.2 to One Voice Operations Center One Voice Operations Center IOM Manual One Voice Operations Center Product Description - ii - Notice Document Name One Voice Operations Center User's Manual Device Manager Pro Administrator's Manual One Voice Operations Center Alarms Monitoring Guide One Voice Operations Center Performance Monitoring Guide One Voice Operations Center Security Guidelines One Voice Operations Center Integration with Northbound Interfaces Device Manager for Third-Party Vendor Products Administrator's Manual Device Manager Agent Installation and Configuration Guide ARM User's Manual Documents for Managed Devices Mediant 500 MSBR User's Manual Mediant 500L MSBR User's Manual Mediant 500Li MSBR User's Manual Mediant 500L Gateway and E-SBC User's Manual Mediant 800B Gateway and E-SBC User's Manual Mediant 800 MSBR User's Manual Mediant 1000B Gateway and E-SBC User's Manual Mediant 1000B MSBR User's Manual Mediant 2600 E-SBC User's Manual Mediant 3000 User's Manual Mediant 4000 SBC User's Manual Mediant 9000 SBC User's Manual Mediant Software SBC User's Manual OVOC | IOM - iii - Notice OVOC | IOM Document Revision Record LTRT 94179 94180 Description Updated Section: Managed VoIP Equipment; Hardware and Software Specifications; OVOC Capacities; Viewing Process Statuses; Before Enabling Cloud Architecture Mode; Upgrading OVOC Server on Amazon AWS and Microsoft Azure; Full Restore; OVOC License; Configuring the Firewall; Update to HTTPS SSL TLS Security diagram "Specifications for Service Provider Cluster Mode" merged with Section "OVOC Capacities" Added Section: Before Upgrading on Microsoft Azure; AWS Post Upgrade procedure; Step 4 Registering Microsoft Teams Application; Step 5 Configuring Microsoft Graph Permissions; Step 6 Configuring AudioCodes Azure Active Directory Update to the OVOC Capacities table. - iv - Content OVOC | IOM Table of Contents 1 Overview 1 Part I 2 Pre-installation Information 2 2 Managed VoIP Equipment 3 3 Hardware and Software Specifications 8 OVOC Server Minimum Requirements 8 OVOC Client Requirements 10 Bandwidth Requirements 10 OVOC Bandwidth Requirements 10 Voice Quality Bandwidth Requirements 11 OVOC Capacities 12 Skype for Business Monitoring SQL Server Prerequisites 14 4 OVOC Software Deliverables 15 Part II 17 OVOC Server Installation 17 5 Files Verification 18 Windows 18 Linux 18 OVOC Server Users 18 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms 20 Launching Public OVOC Image on Amazon Web Services (AWS) 20 Step 1 Launching Public Image on AWS 20 Step 2 Connecting Mediant Cloud Edition (CE) SBC Devices on AWS 25 Step 2-1 Configuring the OVOC Server (OVOC Server Manager) on AWS 26 Step 2-2 Configuring Mediant Cloud Edition (CE) SBC Devices on AWS 27 Step 3 Configuring AWS SES Service 29 Creating OVOC Virtual Machine and Configuring Microsoft Azure 31 Step 1: Creating Virtual Machine on Azure 32 Step 2: Configuring OVOC as the Email Server on Microsoft Azure 38 Step 2-1: Configuring OVOC as the Email Server on Microsoft Azure using Microsoft Office 365 38 Step 2-2 Configuring OVOC as the Email Server on Microsoft Azure using SMTP Relay 40 Step 3 Connecting Mediant Cloud Edition (CE) Devices 43 Option 1: Connecting Mediant Cloud Edition (CE) SBC Devices to OVOC on Azure using Public IP Address 43 Configuring Mediant CE SNMP Public IP Connection using Stack Manager 45 Configuring Mediant CE OVOC Public IP Connection Settings using Web Interface 45 Option 2 Connecting Mediant Cloud Edition (CE) Devices to OVOC on Azure using Internal IP Address 46 -v- Content OVOC | IOM Configuring Mediant CE SNMP Internal IP Connection with OVOC using Stack Manager 48 Configuring Mediant CE OVOC Internal IP Connection Settings using Web Interface 49 Step 4 Registering Microsoft Teams Application 50 Step 5 Configuring Microsoft Graph API Permissions 54 Step 6 Configuring AudioCodes Azure Active Directory (Operator Authentication) 57 7 Installing OVOC Server on VMware Virtual Machine 66 Deploying OVOC Image with VMware vSphere Hypervisor (ESXi) 66 Deploying OVOC Image with VMware vSphere Hypervisor (ESXi) in Service Provider Cluster 68 Step 1 Upgrade Existing Virtual Machine 68 Step 2 Install Service Provider Cluster on Management Server 70 Step 3 Install VQM Server 71 Step 4 Install PM Server 71 Configuring the Virtual Machine Hardware Settings 72 Configuring OVOC Virtual Machines (VMs) in a VMware Cluster 73 VMware Cluster Site Requirements 73 Cluster Host Node Failure on VMware 76 Connecting OVOC Server to Network on VMware 77 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine 80 Configuring the Virtual Machine Hardware Settings 85 Expanding Disk Capacity 87 Changing MAC Addresses from 'Dynamic' to 'Static' 92 Configuring OVOC Virtual Machines in a Microsoft Hyper-V Cluster 93 Hyper-V Cluster Site Requirements 93 Add the OVOC VM in Failover Cluster Manager 94 Cluster Host Node Failure on Hyper-V 96 Connecting OVOC Server to Network on HyperV 96 9 Installing OVOC Server on Dedicated Hardware 99 DVD1: Linux CentOS 99 Installing DVD1 without a CD-ROM 102 DVD2: Oracle DB Installation 107 DVD3: OVOC Server Application Installation 109 10 Managing Device Connections 113 Establishing OVOC-Devices Connections 113 Configure OVOC Server with Public or NAT IP Address 114 Establishing Devices - OVOC Connections 114 Automatic Detection 115 Configure OVOC Cloud Architecture Mode 115 Before Enabling Cloud Architecture Mode 116 Configuring Cloud Architecture Mode 117 Part III 118 OVOC Server Upgrade 118 - vi - Content OVOC | IOM 11 Upgrading OVOC Server on Amazon AWS and Microsoft Azure 119 Before Upgrading on Microsoft Azure 121 After Upgrading on AWS 121 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines 122 Step 1: Setup the Virtual Machine 122 Setting up VMware Platform for Upgrade 122 Setting up Using VMware Remote Console Application (VMRC) 126 Setting up Using VMware Server Host for Upgrade 128 Setting Up Microsoft Hyper-V Platform for Upgrade 129 Step 2: Run the Server Upgrade Script 135 Option 1: Standard Upgrade Script 135 Option 2: Service Provider Cluster Upgrade Scripts 137 Upgrade Management Server 138 Upgrade VQM Server 140 Upgrade PM Server 142 Step 3: Connect the OVOC Server to Network 144 Connecting to OVOC Server on VMware 144 Connecting to OVOC Server on Hyper-V 145 13 Upgrading OVOC Server on Dedicated Hardware 147 Upgrading the OVOC Server-DVD 147 Upgrading the OVOC Server using an ISO File 149 14 Installation and Upgrade Troubleshooting of the Operational Environment 152 Part IV 155 OVOC Server Machine Backup and Restore 155 15 OVOC Server Backup Processes 156 Change Schedule Backup Time 157 16 OVOC Server Restore 158 Configuration Restore 158 Full Restore 160 Part V 162 OVOC Server Manager 162 17 Getting Started 163 Connecting to the OVOC Server Manager 163 Using the OVOC Server Manager 164 OVOC Server Manager Menu Options Summary 164 18 Viewing Process Statuses 169 Viewing Process Statuses in Service Provider Cluster Mode 171 - vii - Content 19 Viewing General Information Viewing General Information in Service Provider Cluster Mode 20 Collecting Logs 21 Application Maintenance Start or Restart the Application Start and Restart in Service Provider Cluster Mode Stop the Application Web Servers Change Schedule Backup Time License OVOC License Analytics API Service Provider Cluster Remove PM or VQM Server from Cluster Force Remove PM or VQM Server from Cluster Synchronize Cluster Node Servers Shutdown the OVOC Server Machine Reboot the OVOC Server Machine 22 Network Configuration Server IP Address Ethernet Interfaces OVOC Client Login on all OVOC Server Network Interfaces Add Interface Remove Interface Modify Interface Ethernet Redundancy Add Redundant Interface Remove Ethernet Redundancy Modify Redundant Interface DNS Client Static Routes Proxy Settings SNMP Agent SNMP Agent Listening Port Linux System Trap Forwarding Configuration Server SNMPv3 Engine ID 23 NTP & Clock Settings NTP Stopping and Starting the NTP Server Restrict Access to NTP Clients Activate DDoS Protection Authorizing Subnets to Connect to OVOC NTP - viii - OVOC | IOM 174 176 178 180 180 181 182 182 183 183 184 187 188 190 191 192 193 193 194 195 196 196 198 199 199 200 201 202 203 204 205 206 207 208 209 209 211 211 213 214 214 214 Content Timezone Settings Date and Time Settings 25 Security OVOC User SSH SSH Log Level SSH Banner SSH on Ethernet Interfaces Add SSH to All Ethernet Interfaces Add SSH to Ethernet Interface Remove SSH from Ethernet Interface Enable/Disable SSH Password Authentication Enable SSH IgnoreUserKnownHosts Parameter SSH Allowed Hosts Allow ALL Hosts Deny ALL Hosts Add Hosts to Allowed Hosts Remove Host/Subnet from Allowed Hosts Oracle DB Password Cassandra Password OS Users Passwords General Password Settings Operating System User Security Extensions File Integrity Checker Software Integrity Checker (AIDE) and Pre-linking USB Storage Network Options Auditd Options HTTPS SSL TLS Security Server Certificates Update OVOC Voice Quality Package - SBC Communication HTTP Security Settings TLS Version 1.0 TLS Version 1.1 Show Allowed SSL Cipher Suites Edit SSL Cipher Suites Configuration String Restore SSL Cipher Suites Configuration Default Manage HTTP Service Port (80) Manage IPP Files Service Port (8080) Manage IPPs HTTP Port (8081) Manage IPPs HTTPS Port (8082) OVOC Rest (Port 911) Floating License (Port 912) OVOC WebSocket (Port 915) - ix - OVOC | IOM 214 216 217 218 218 219 219 220 221 221 221 222 222 223 223 224 224 225 226 226 227 227 228 230 231 231 232 233 233 234 239 240 241 241 242 242 243 243 243 244 244 244 244 245 Content OVOC | IOM SBC HTTPS Authentication Mode 245 Enable Device Manager Pro and NBIF Web Pages Secured Communication 246 Change HTTP/S Authentication Password for NBIF Directory 246 26 Diagnostics 248 Server Syslog Configuration 248 Devices Syslog Configuration 250 Devices Debug Configuration 251 Server Logger Levels 252 Network Traffic Capture 253 Part VI 256 Configuring the Firewall 256 27 Configuring the Firewall 257 Configuring Firewall for Cloud Architecture Mode 268 Configuring Firewall for NAT Deployment 269 Configuring Firewall for Service Provider Cluster 269 Part VII 274 Appendix 274 28 Configuring RAID-0 for AudioCodes OVOC on HP ProLiant DL360p Gen10 Servers 275 RAID-0 Prerequisites 275 RAID-0 Hardware Preparation 275 Configuring RAID-0 275 Step 1 Create Logical Drive 275 Step 2 Set Logical Drive as Bootable Volume 276 29 Managing Clusters 278 Migrating OVOC Virtual Machines in a VMware Cluster 278 Moving OVOC VMs in a Hyper-V Cluster 279 30 Supplementary Security Procedures 283 Installing Custom Certificates on OVOC Managed Devices 283 Gateways and SBC Devices 283 Step 1: Generate a Certificate Signing Request (CSR) 283 Step 2: Receive the New Certificates from the CA 285 Step 3: Update Device with New Certificate 285 Step 4: Update Device's Trusted Certificate Store 286 Step 5: Configure HTTPS Parameters on the Device 287 Step 6: Reset Device to Apply the New Configuration 288 MP-1xx Devices 289 Step 1: Generate a Certificate Signing Request (CSR) 289 Step 2: Receive the New Certificates from the CA 290 Step 3: Update Device with New Certificate 291 -x- Content Step 4: Update Device's Trusted Certificate Store Step 5: Configure HTTPS Parameters on Device Step 6: Reset Device to Apply the New Configuration Cleaning up Temporary Files on OVOC Server 31 Transferring Files 32 Verifying and Converting Certificates 33 Self-Signed Certificates Mozilla Firefox Google Chrome Microsoft Edge 34 Datacenter Disaster Recovery Introduction Solution Description Initial Requirements New Customer Configuration Data Synchronization Process Recovery Process OVOC | IOM 291 294 294 294 295 296 297 297 297 298 299 299 299 300 300 300 301 - xi - CHAPTER 1 Overview OVOC | IOM 1 Overview The One Voice Operations Center (OVOC) provides customers with the capability to easily and rapidly provision, deploy and manage AudioCodes devices and endpoints. Provisioning, deploying and managing these devices and endpoints with the OVOC are performed from a user-friendly Web Graphic User Interface (GUI). This document describes the installation of the OVOC server and its components. It is intended for anyone responsible for installing and maintaining AudioCodes' OVOC server and the OVOC server database. -1- Part I Pre-installation Information This part describes the OVOC server components, requirements and deliverables. CHAPTER 2 Managed VoIP Equipment OVOC | IOM 2 Managed VoIP Equipment The following products (and product versions) can be managed by this OVOC release: Table 2-1: Managed VoIP Equipment Product Supported Software Version Gateway, SBC and MSBR Devices Mediant 9000 SBC Versions 7.4.100, 7.4, 7.2 (including support for MTC ), 7.0, 6.8 Mediant 4000 SBC Versions 7.4.100,7.4, 7.2, 7.0 and 6.8 Mediant 4000B SBC Versions 7.4.100,7.4 , 7.2, 7.0 Mediant 2600 E-SBC Versions 7.4.100, 7.4 , 7.2, 7.0 and 6.8 Mediant 2600B E-SBC Versions 7.4.100, 7.4, 7.2 and 7.0 Mediant Software (Server Edition) SBC Versions 7.4.100, 7.4, 7.2, 7.0 and 6.8 Mediant Software(Virtual Edition) SBC Versions 7.4.100, 7.4, 7.2 (including support for MTC), 7.0 and 6.8 Mediant3000 (TP-8410 and TP-6310) Versions 7.0 and 6.6 Mediant Cloud Edition Version 7.4.100, 7.4, 7.2 Mediant 2000 Media Gateways 1Mediant 1000 Gateway Version 6.6 Version 6.6 (SIP) Mediant 1000B Gateway and E-SBC Versions 7.4.100, 7.4, 7.2, 7.0, 6.8 and 6.6 Mediant 800B Gateway and E-SBC Versions 7.4.100,7.4, 7.2, 7.0, 6.8 and 6.6 1This product does not support Voice Quality Management. -3- CHAPTER 2 Managed VoIP Equipment Product Mediant 800C Mediant 1000B MSBR Mediant800 MSBR Mediant500 MSBR Mediant 500L MSBR Mediant 500Li MSBR Mediant 500 E-SBC Mediant 500L E-SBC 1Mediant 600 MediaPack MP-11x series MediaPack MP-124 MP-202 MP-204 MP-1288 SBA2 Mediant 800B SBA Skype for Business Mediant 800C SBA Skype for Business Mediant 1000B SBA Skype for Business Mediant 2600B SBA Skype for Business 1As above 2As above -4- OVOC | IOM Supported Software Version Version 7.4.100, 7.4, 7.2 Version 6.6 Versions 7.23A.356.xxx, 7.2, 6.8 and 6.6 Version 7.23A.356.xxx, 7.2 and 6.8 Versions 7.23A.356.xxx, 7.2 and 6.8 Version 7.20AN.4xx.xxx Version 7.4.100 ,7.4, 7.2 Version 7.4.100, 7.4, 7.2 Version 6.6 Version 6.6 (SIP) Rev. D and E version 6.6 (SIP) Version 4.4.9 Rev. B, D and R Version 4.4.9 Rev. B, D and R Version 7.4.100, 7.4, 7.2 SBA version 1.1.12.x and later and gateway Version 7.2 SBA version 1.1.12.x and later and gateway Version 7.2 SBA version 1.1.12.x and later and gateway Version 7.2 SBA version 1.1.12.x and later CHAPTER 2 Managed VoIP Equipment Product Mediant800B SBA Lync Server Mediant 1000B SBA Lync Server Mediant 2000B SBA devices Lync Server CloudBond1 CloudBond 365 Pro Edition CloudBond 365 Enterprise Edition CloudBond 365 Standard+ Edition CloudBond 365 Standard Edition User Management Pack 365 ENT (Check) User Management Pack 365 CloudBond 365 User Management Pack 365 SP (Check) CCE Appliance2 Mediant 800 CCE Appliance OVOC | IOM Supported Software Version and gateway Version 7.0 SBA version 1.1.12.x and later and gateway Version 6.8 SBA version 1.1.12.x and later and gateway Version 6.8 SBA version 1.1.12.x and later and gateway Version 6.8 Version 7.6 with MediantServer version 7.2.100 and later Version 7.6 with MediantServer version 7.2.100 and later Version 7.6 with Mediant800BMediant 800CGX800C version 7.2.100 and later Version 7.6 with Mediant 800B version 7.2.100 and later Version 8.0.0 Version 7.8 Version 8.0.0 (Skype for Business 2019 and Microsoft Teams) Version 8.0.100 Version 2.1 with Mediant 800B 1To support Voice Quality Management for these devices, customers must add the SBC/Media Gateway platform of these products as standalone devices to OVOC. Once this is done, the SBC/Gateway calls passing through the CloudBond 365 /CCE Appliances can be monitored. 2As above. -5- CHAPTER 2 Managed VoIP Equipment Product Mediant Server CCE Appliance Other Applications SmartTAP 360 Recording IP Phones Skype for Business Native Teams (Android-based) Third-party Vendor Devices 1This device is not yet supported 2This device has not reached GA. -6- OVOC | IOM Supported Software Version Version 2.1 with Mediant Server Version 4.3, Version 5.0, Version 5.1 Supported Software Versions/Models From Version 3.0.0: 420HD, 430HD 440HD and 405HD From Version 3.0.1: 420HD, 430HD 440HD, 405HD and 450HD From Version 3.0.2: HRS 457 (with Jabra firmware support) From Version 3.1.0: 445HD, 430HD 440HD, 405HD, 450HD and HRSFrom From Version 3.2.0: C450HD From Version 3.2.1: C450HD, 445HD, 430HD 440HD, 405HD,450HD and HRS From Version 3.4.2: RX50 Conference Device1 From Version 1.8: C470HD, C448HD and C450HD From Version 1.9: RXV80 From Version 1.11 (Preliminary): C435HD2 CHAPTER 2 Managed VoIP Equipment OVOC | IOM Spectralink Polycom Product Jabra Headset Support Supported Software Version Spectralink 8440 Polycom Trio 8800 Polycom VVX 410 Jabra BIZ, Jabra Coach, Jabra DIAL, Jabra Eclipse, Jabra Elite, Jabra Engage, Jabra Evolve, Jabra Handset, Jabra LINK, Jabra Motion, Jabra Pro, Jabra Pulse, Jabra SPEAK, Jabra Sport, Jabra STEALTH, Jabra Steel, Jabra SUPREME. For a complete list of supported Jabra phones, see document Device Manager for Third-Party Vendor Products Administrator's Manual. All versions VoIP equipment work with the SIP control protocol. Bold refers to new product support and version support. -7- CHAPTER 3 Hardware and Software Specifications OVOC | IOM 3 Hardware and Software Specifications This section describes the hardware and software specifications of the OVOC server. OVOC Server Minimum Requirements The table below lists the minimum requirements for running the different OVOC server platforms. Resources Virtual Platform Memory Low Profile VMWare VMware: ESXi 6.7 VMware HA cluster: VMware ESXi 6.5 24 GiB RAM Disk Space 500 GB HyperV Azure Microsoft Hyper-V Server 2016 Microsoft Hyper-V Server 2016 HA Cluster 24 GiB RAM 500 GB VM Size: D8ds_ 32 GiB (D8ds_ 500 GB SSD v4 v4 AWS - - High Profile VMWare VMware: ESXi 6.7 VMware HA cluster: VMware ESXi 6.5 40 GiB RAM 1.2 TB Processors 1 core with at least 2.5 GHz 2 cores with at least 2.0 GHz 1 core with at least 2.5 GHz 2 cores with at least 2.0 GHz Low Profile: 8 vCPUs (D8ds_ v4 - 6 cores with at least 2 GHz -8- CHAPTER 3 Hardware and Software Specifications OVOC | IOM Resources Virtual Platform Memory HyperV Microsoft Hyper-V Server 2016 Microsoft Hyper-V Server 2016 HA Cluster 40 GiB RAM Azure VM Size: D16ds_v4 64 GiB (D16ds_v4) AWS AWS EC2: 64 GiB InstanceSize: (m5.4xlarge) m5.4xlarge Bare Metal (HP DL360p Gen10) - 64 GiB RAM SP Single VMware: ESXi 6.7 VMware HA cluster: VMware ESXi 6.5 Ethernet ports: 10GB ports1 256 GB SP Cluster (three VMware servers) VMware: ESXi 6.7 VMware HA 256 GB Disk Space 1.2 TB Processors 6 cores with at least 2 GHz 2 TB SSD 16 vCPUs (D16ds_v4) AWS EBS: General Purpose SSD (GP2) 2TB 16 vCPUs (m5.4xlarge) Disk: 2x 1.92 TB SSD configured in RAID 0 CPU: Intel (R) Xeon(R) Gold 6126 (12 cores 2.60 GHz each) Standalone mode: 24 cores at SSD 6TB 2.60 GHz 20T for management server 24 cores at 2.60 GHz 1Relevant for SP Single and SP Cluster only -9- CHAPTER 3 Hardware and Software Specifications OVOC | IOM Resources Virtual Platform cluster: VMware ESXi 6.5 Ethernet ports: 10GB ports Memory Disk Space 10T for VQ/PM servers Processors OVOC Client Requirements The table below lists the minimum requirements for running an OVOC web client. Table 3-1: OVOC Client Minimum Requirements Resource OVOC Client Hardware Screen resolution: 1280 x 1024 Operating System Windows 7 or later Memory 8 GB RAM Disk Space - Processor - Web Browsers Mozilla Firefox version 39 and higher Google Chrome version 79 and higher Microsoft Edge Browser version 80 and higher Scripts PHP Version 7.4 Angular 10.0 Bandwidth Requirements This section lists the OVOC bandwidth requirements. OVOC Bandwidth Requirements The bandwidth requirement is for OVOC server <-> Device communication. The network bandwidth requirements per device is 500 Kb/sec for faults, performance monitoring and maintenance actions. - 10 - CHAPTER 3 Hardware and Software Specifications OVOC | IOM Voice Quality Bandwidth Requirements The following table describes the upload bandwidth speed requirements for Voice Quality for the different devices. The bandwidth requirement is for OVOC server <- > Device communication. Table 3-2: Voice Quality Bandwidth Requirements Device SBC Sessions (each session has two legs) Required Kbits/sec or Mbit/sec SBC MP-118 _ _ MP-124 _ _ Mediant 800 Mediant 60 850 135 Kbits/sec Mediant 1000 150 330 Kbits / sec Mediant 2000 _ _ Mediant 2600 600 1.3 Mbit/sec Mediant 3000 1024 2.2 Mbit/sec Mediant 4000 4,000 8.6 Mbit/sec Gateway MP-118 8 15 Kbits/sec MP-124 24 45 Kbits/sec Mediant 800 Mediant 60 850 110 Kbits/sec Mediant 1000 120 220 Kbits/sec Mediant 2000 480 880 Kbits/sec Mediant 2600 _ _ Mediant 3000 2048 3.6 Mbit/sec Mediant 4000 _ _ - 11 - CHAPTER 3 Hardware and Software Specifications OVOC | IOM Device Endpoints SBC Sessions (each session has two legs) _ Required Kbits/sec or Mbit/sec 56 Kbits/sec OVOC Capacities The following table shows the performance and data storage capabilities for the OVOC managed devices and endpoints. Table 3-3: OVOC Capacities Machine Specifications Low Profile High Profile Bare Metal Service Provider Single Server Service Provider Cluster Mode OVOC Management Capacity Managed devices 100 Links 200 Operators 5,000 10,000 5,000 10,000 25 10,000 10,000 50,000 10,000 Device Manager Pro Managed devices 1,000 Disk space allocated for 5 GB firmware files 30,000 Microsoft 10,000 Microsoft 30,000 Lync/Skype for Lync/Skype for Skype for Business and Business and Business third-party vendor third- party vendor devices devices 1 devices2 4,000 4,000 Microsoft 4,000 Microsoft Teams Teams devices Teams devices device 10 GB 30,000 Skype for Business devices 4,000 Teams devices 20 GB Alarm and Journal Capacity History alarms Journal logs Steady state Up to 12 months Up to 12 months or 10,000,000 million alarms Up to 12 months Up to 12 months Up to 12 months or 50,000,000 Up to 12 months Up to 12 months 20 alarms per second 50 alarms per second 100 alarms per second 1In normal operation (when devices are remotely managed) 30,000 devices send Keep-alive messages at five minute intervals; however, when managing devices behind a firewall or NAT using the Device Manager agent, a 10% factor (3,000 devices) is deducted for the allocation for these devices. In this case, 90% of the configuration (27,000) is checked every 15 minutes (for remotely managed devices)and 10% is checked every five minutes (for devices managed behind a firewall or NAT). 2Including phones, headsets and Conference Suite devices - 12 - CHAPTER 3 Hardware and Software Specifications OVOC | IOM Machine Specifications Low Profile High Profile Performance Monitoring Polled parameters per polling interval per OVOC- managed device 50,000 Polled parameters per polling interval per OVOC instance 50,000 100,000 500,000 Bare Metal 100,000 500,000 Storage time One year QoE Call Flow (for SBC calls only) CAPS per device 10 100 100 CAPS (calls attempts per 6 25 100 second) per OVOC instance Maximum number of calls 1,000,000 OVOC QoE for Devices QoE for managed 100 devices 1,200 3,000 CAPS (calls attempts per 30 120 300 second) per device CAPS per OVOC instance 30 120 300 (SBC and SFB/Teams and RFC SIP Publish 6035) Teams CAPS=301 Teams CAPS=1202 QoE concurrent sessions 3,000 12,000 30,000 Call Details Storage detailed information per call Up to one year or 6,000,000 Up to one year or 80,000,000 Up to one year or 80,000,000 Calls Statistics Storage statistics information storage Up to one year or 12,000,000 Up to one year or 150,000,000 Up to one year or 150,000,000 QoE Capacity with SBC Floating License Capability CAPS (calls attempts per 5 22 90 second) per OVOC instance with SIP call flow. Service Provider Single Server Service Provider Cluster Mode 500,000 500,000 1,000,000 5,000,000 for Version 7.4 devices (REST interface) 500,000 for Version 7.2 devices (SNMP interface) 300 300 300 1,000 10,000,000 10,000 25,000 1,000 1,000 1,000 Teams CAPS=3 2,500 100,000 Up to one year or 250,000,000 250,000 Up to one year or 400,000,000 Up to one year or 500,000,000 Up to one year or 750,000,000 - - 1The TEAMS CAPS estimation is based on round trip delay of 500 milliseconds to Microsoft Azure. 2As above 3Please contact AudioCodes OVOC Product Manager - 13 - CHAPTER 3 Hardware and Software Specifications OVOC | IOM Machine Specifications Low Profile High Profile CAPS (calls attempts per 27 108 second) per OVOC instance without SIP call flow. Managed devices with 100 500 floating license. Lync and AD Servers applicable for QoE license only MS Lync servers AD Servers for Users sync Users sync Bare Metal 270 1,000 Up to 2 Up to 2 Up to 150,000 Service Provider Single Server - Service Provider Cluster Mode - - - Skype for Business Monitoring SQL Server Prerequisites The following are the Skype for Business Monitoring SQL Server prerequisites: The server must be defined to accept login in 'Mix Authentication' mode. The server must be configured to collect calls before the OVOC can connect to it and retrieve Skype for Business calls. Call Detail Records (CDRs) and Quality of Experience (QoE) Data policies must be configured to capture data. Network administrators must be provisioned with the correct database permissions (refer to the One Voice Operations Center User's Manual). Excel macros must be enabled so that the SQL queries and reports can be run; tested with Excel 2010. Detailed minimum requirements for Skype for Business SQL Server can be found in the following link: http://technet.microsoft.com/en-us/library/gg412952.aspx - 14 - CHAPTER 4 OVOC Software Deliverables OVOC | IOM 4 OVOC Software Deliverables The following table describes the OVOC software deliverables. Table 4-1: OVOC Software Deliverables Installation/Upgrade Platform Media Installation Dedicated VMware HyperV DVD1-Linux CentOS Operating System DVD2-Oracle Installation DVD3-OVOC Software Installation Standard mode: DVD5-OVOC Software Installation OVA file Service Provider Cluster mode: Option 1: Management: DVD1-DVD2-DVD3 VQM/PM: DVD1-DVD3 Option 2: Management: DVD5-Management-OVA VQM: DVD5-VQM-OVA PM: DVD5-PM-OVA DVD5-OVOC Software Installation 7z file Amazon AWS Create OVOC instance from Public AMI image provided by AudioCodes Microsoft Azure Create OVOC virtual machine from Azure Marketplace. Upgrade Dedicated DVD3-OVOC Server Application DVD OR DVD3-OVOC Server Application ISO file VMware DVD3-OVOC Server Application ISO file (including separate scripts for Management, VQM and PM servers) Microsoft HyperV DVD3-OVOC Server Application ISO file - 15 - CHAPTER 4 OVOC Software Deliverables OVOC | IOM Installation/Upgrade Platform Media Amazon AWS DVD3-OVOC Server Application ISO file Note the following DVD1: Operating System DVD (OVOC server and Client Requirements): DVD2: Oracle Installation: Oracle installation version 12.1.0.2 DVD. DVD3: Software Installation and Documentation DVD: The DVD `SW Installation and Documentation' DVD comprises the following folders: 'EmsServerInstall' OVOC server software (including Management server, PM server and VQM server) to install on the dedicated OVOC server machine. Documentation All documentation related to the present OVOC version. The documentation folder includes the following documents and sub-folders: OVOC Release Notes Document includes the list of the new features introduced in the current software version as well as version restrictions and limitations. OVOC Server IOM Manual Installation, Operation and Maintenance Guide. OVOC Product Description OVOC User's Manual OVOC Integration with Northbound Interfaces OVOC Security Guidelines OVOC Alarms Monitoring Guide OVOC Performance Monitoring Guide Installation and upgrade files can also be downloaded from the Website by registered customers at https://www.audiocodes.com/services-support/maintenance-and-support. - 16 - Part II OVOC Server Installation This part describes the testing of the installation requirements and the installation of the OVOC server. CHAPTER 5 Files Verification OVOC | IOM 5 Files Verification You need to verify the contents of the ISO file received from AudioCodes using an MD5 checksum. As an Internet standard (RFC 1321), MD5 has been used in a wide variety of security applications, and is also commonly used to check the integrity of file, and verify download. Perform the following verifications on the relevant platform: Windows (Windows below) Linux ( Linux below) Windows Use the WinMD5 tool to calculate md5 hash or checksum for the file: Verify the checksum with WinMD5 (see www.WinMD5.com) Linux Copy the checksum and the files to a Linux machine, and then run the following command: md5sum -c filename.md5 The "OK" result should be displayed on the screen (see figure below). Figure 5-1: ISO File Integrity Verification OVOC Server Users OVOC server OS user permissions vary according to the specific application task. This feature is designed to prevent security breaches and to ensure that a specific OS user is authorized to perform a subset of tasks on a subset of machine directories. The OVOC server includes the following OS user permissions: 'root' user: User permissions for installation, upgrade, maintenance using OVOC Server Managerand OVOC application execution. acems user: The only available user for login through SSH/SFTP tasks. emsadmin user: User with permissions for mainly the OVOC Server Manager and OVOC application for data manipulation and database access. - 18 - CHAPTER 5 Files Verification OVOC | IOM oracle user: User permissions for the Oracle database access for maintenance such as installation, patches upgrade, backups and other Oracle database tasks. oralsnr user: User in charge of oracle listener startup. In addition the OVOC server includes the following DB operator permissions: Analytics user: User used to connect to Northbound DB access clients - 19 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms This section describes how to install the OVOC server on the following Cloud-based platforms: Launching Public OVOC Image on Amazon Web Services (AWS) below Creating OVOC Virtual Machine and Configuring Microsoft Azure on page 31 Launching Public OVOC Image on Amazon Web Services (AWS) This chapter describes how to create the OVOC virtual machine in an AWS cloud deployment, including the following procedures: Step 1 Launching Public Image on AWS below Step 2-2 Configuring Mediant Cloud Edition (CE) SBC Devices on AWS on page 27 Before proceeding, ensure that the minimum platform requirements are met (see Hardware and Software Specifications on page 8). Step 1 Launching Public Image on AWS This section describes how to setup and load the AWS image. To setup and load the AWS image: 1. Log into your AWS account. 2. Choose one of the following regions: us-west-1 (N. California) us-west-2 (Oregon) us-east-1 (N. Virginia) eu-west-1 (Ireland) eu-central-1 (Frankfurt) ap-south-1 (Asia Pacific-Mumbai) For verifying AMI IDs, refer to https://services.AudioCodes.com.. - 20 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-1: Select Region OVOC | IOM 3. In the "Services" menu, choose EC2. - 21 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-2: Services Menu - EC2 OVOC | IOM 4. In the Dashboard, navigate to IMAGES > AMIs. - 22 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-3: Images OVOC | IOM 5. In the search bar, choose Public images and apply the following filter: AMI ID : ami-00000000000 replacing ami-00000000000 with the AMI ID you received from AudioCodes according to the region you have chosen. 6. Right-click the AMI and choose Launch. - 23 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-4: Launch Public Images OVOC | IOM 7. Choose an Instance type according to the requirements specified in OVOC Server Minimum Requirements on page 8. 8. Configure Instance (Optional). Using this option, you can edit network settings, for example, placement. 9. Configure a Security Group; you should select an existing security group or create a new one according to the firewall requirements specified in the table below: Table 6-1: Firewall for Amazon AWS Protocol Port Description UDP 162 SNMP trap listening port on the OVOC server. UDP 1161 Keep-alive - SNMP trap listening port on the OVOC server used for NAT traversal. TCP 5000 Communication for control, media data reports and SIP call flow messages TCP (TLS) 5001 TLS secured communication for control, media data reports and SIP call flow messages NTP 123 NTP server port (also configure the AWS IP address/Domain Name as the NTP server on both the managed device and OVOC server; see relevant procedures in Step 3 Configuring Mediant Cloud Edi- tion (CE) SBC Devices on AWS 10. Click Review and Launch > Review > Launch. - 24 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM 11. In the dialog shown in the figure below, from the drop-down list, choose Proceed without a key pair, check the "I acknowledge ..." check box, then click Launch Instances. Figure 6-5: Select an Existing Key Pair 12. Click View Instances and wait for the instance to change the state to "running" and the status checks to complete. In the description, note the Public IP address of the instance as highlighted in the figure below. Figure 6-6: Instance State and Status Checks Note the AWS public IP address as its later configured in Step 2-1 Configuring the OVOC Server (OVOC Server Manager) on AWS on the next page Step 2 Connecting Mediant Cloud Edition (CE) SBC Devices on AWS This section describes the procedure for establishing a secure connection between the OVOC server which is installed in the AWS Cloud and Mediant Cloud Edition (CE) SBC devices which - 25 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM are also deployed in the AWS Cloud. Communication between OVOC and Mediant CE SBC devices is carried over the public IP addresses on both sides, requiring NAT translation from internal to public IP addresses. This can be performed by either configuring the OVOC server with the public IP address of the AWS platform where the OVOC server is deployed (see Configure OVOC Server with Public or NAT IP Address on page 114) or by configuring OVOC Cloud Architecture mode (seeConfigure OVOC Cloud Architecture Mode on page 115 The Mediant CE SBC devices must be added to OVOC using Automatic Detection. Refer to Section "Adding AudioCodes Devices Automatically" in the OVOC User's Manual. This section includes the following procedures: Step 2-1 Configuring the OVOC Server (OVOC Server Manager) on AWS below Step 2-2 Configuring Mediant Cloud Edition (CE) SBC Devices on AWS on the next page Step 2-1 Configuring the OVOC Server (OVOC Server Manager) on AWS This section describes the required configuration actions on the OVOC server deployed in the AWS Cloud. Restart the OVOC server where specified in the referenced procedures for changes to take effect. To configure the OVOC server: 1. Login to the OVOC Server Manager (see Connecting to the OVOC Server Manager on page 163). 2. Change the following default passwords: acems OS user (see OS Users Passwords on page 227) root OS user (see OS Users Passwords on page 227) Unless you have made special configurations, the AWS instance is in the public cloud and therefore is accessible over the Internet. Consequently, it is highly recommended to change theses default passwords to minimize exposure to password hacking. 3. Load OVOC license (see License on page 183). 4. Configure the OVOC server with AWS Public IP address to enable devices deployed behind a NAT to connect to OVOC server (see Configure OVOC Server with Public or NAT IP Address on page 114). See the setup of the virtual machine Step 1: Creating Virtual Machine on Azure on page 32 to find the AWS Public IP. 5. Configure the AWS Public IP address/Domain Name (where OVOC is installed) as the external NTP clock source (see NTP on page 211). - 26 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM The same clock source should be configured on the managed devices (see Step 2-2-2 Configuring Mediant CE Communication Settings Using Web Interface on the next page). Step 2-2 Configuring Mediant Cloud Edition (CE) SBC Devices on AWS This step describes the following configuration procedures on the Mediant CE SBC devices to connect them to the OVOC server that is deployed in the AWS Cloud: Step 2-2-1: Configuring Mediant CE SNMP Connection with OVOC in Cloud using Stack Manager below Step 2-2-2 Configuring Mediant CE Communication Settings Using Web Interface on the next page Step 2-2-1: Configuring Mediant CE SNMP Connection with OVOC in Cloud using Stack Manager This step describes how to configure the SNMP communication between the OVOC server deployed in the Azure Cloud and the Mediant CE using the Stack Manager. To configure the Stack Manager: 1. Log in to the Web interface of the Stack Manager that was used to create Mediant Cloud Edition (CE) SBC. Refer to Stack Manager for Mediant CE SBC User's Manual. 2. Click the "Mediant CE stack". 3. Click the Modify button and append 161/udp port (for SNMP traffic) to "Management Ports" parameter. 4. Click Update to apply the new configuration. - 27 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-7: Modify Stack OVOC | IOM Step 2-2-2 Configuring Mediant CE Communication Settings Using Web Interface This section describes how to configure the communication settings between the Mediant CE device and the OVOC server deployed in the AWS Cloud. The following procedure describes the required configuration for a single CE SBC device. For mass deployment, you can load configuration files to multiple devices using 'Full' or 'Incremental' INI file options (refer to the relevant SBC User's Manual for more information). To configure the Mediant Cloud Edition (CE) SBC for AWS: 1. Login to the Mediant Cloud Edition (CE) SBC Web interface or connect from the Devices page in the OVOC Web interface. 2. Open the Quality of Experience Settings screen (Setup Menu > Signaling & Media tab > Media folder > Quality of Experience > Quality of ExperienceSettings). 3. Click Edit and configure the Keep-Alive Time Interval to 1. 4. Click Apply to confirm changes. - 28 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM 5. Open the TIME & DATE page (Setup menu > Administration tab ) and configure the AWS site IP address/FQDN Domain Name(where the OVOC server is installed) as the NTP server clock source. 6. Click Apply to confirm changes. 7. Open the SNMP Community Settings Page (Setup menu > Administration tab > SNMP folder). 8. Set parameter SNMP Disable to No ('Yes' by default). 9. Click Apply to confirm changes. 10. Open the Mediant Cloud Edition (CE) SBC AdminPage (deviceIPaddress/AdminPage) and configure the following ini parameters: HostName = <Load Balancer IP> SendKeepAliveTrap = 1 KeepAliveTrapPort = 1161 SNMPManagerIsUsed_0 = 1 SNMPManagerTableIP_0 = <OVOC Public IP Address> 11. Reset the device for your settings to take effect (Setup menu > Administration tab > Maintenance folder > Maintenance Actions). Step 3 Configuring AWS SES Service This section describes how to configure the OVOC server as the Email server on Amazon AWS. These steps are necessary in to overcome Amazon security restrictions for sending emails outside of the AWS domain. If AWS Simple Email Service (SES) runs in Sandbox mode, both sender and recipient addresses should be verified (see https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request- production- access.html) To configure OVOC as email server on AWS SES: 1. Login to the OVOC server with root permissions. 2. Open file /root/.muttrc: cat .muttrc 3. Replace "OVOC@audiocodes.com" with authenticated source email. 4. Open file /etc/exim/exim.conf and using a text editor, find the respective "begin ..." statements and paste the below configuration accordingly - 29 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM Replace : AWS_SES_LOGIN : AWS_SES_PASSWORD with the credentials received from AWS Replace : SOURCE_EMAIL with an authenticated source email address Replace: HOSTNAME with the VM hostname =================================================== begin routers send_via_ses: driver = manualroute domains = ! +local_domains transport = ses_smtp route_list = * email-smtp.eu-central-1.amazonaws.com; =================================================== begin transports ses_smtp: driver = smtp port = 587 hosts_require_auth = * hosts_require_tls = * =================================================== begin authenticators - 30 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM ses_login: driver = plaintext public_name = LOGIN client_send = : AWS_SES_LOGIN : AWS_SES_PASSWORD =================================================== begin rewrite ^root@HOSTNAME SOURCE_EMAIL SFfrs =================================================== 5. Remove old unsent emails from buffer and restart exim service: systemctl restart exim exim -bp | exiqgrep -i | xargs exim -Mrm rm -rf /var/spool/exim/db/* 6. Send test email using mutt: echo "Hello!" > ~/message.txt mutt -s "Test Mail from OVOC" -F /root/.muttrc EMAIL_ADDRESS < ~/message.txt 7. Verify in the exim log in /var/log/exim/main.log to check that the email was sent correctly. Creating OVOC Virtual Machine and Configuring Microsoft Azure This chapter describes how to install the OVOC server on a virtual machine in a Cloud-based deployment from the Microsoft Azure Marketplace, including the following procedures: Step 1: Creating Virtual Machine on Azure on the next page - 31 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM Step 2: Configuring OVOC as the Email Server on Microsoft Azure on page 38 Option 1: Connecting Mediant Cloud Edition (CE) SBC Devices to OVOC on Azure using Public IP Address on page 43 Step 4 Registering Microsoft Teams Application on page 50 Step 5 Configuring Microsoft Graph API Permissions on page 54 Step 6 Configuring AudioCodes Azure Active Directory (Operator Authentication) on page 57 Before proceeding, ensure that the minimum platform requirements are met (see Hardware and Software Specifications on page 8). Step 1: Creating Virtual Machine on Azure This procedure describes how to setup and load the virtual image. To install OVOC from the Microsoft Azure Marketplace: 1. In the Azure Marketplace, search for "AudioCodes One Voice Operations Center (OVOC)" and click Get It Now. Figure 6-8: Get it Now 2. Click Continue. - 32 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-9: Create this App in Azure OVOC | IOM 3. You are now logged in to the Azure portal; click Create. Figure 6-10: Create Virtual Machine 4. Configure the following: a. Choose your Subscription. b. Choose your Resource Group or create a new one c. Enter the name of the new Virtual Machine. d. Choose the Region. e. Choose the VM Size (see Hardware and Software Requirements). f. Choose Authentication Type "Password" and enter username and user-defined password or SSH Public Key. - 33 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-11: Virtual Machine Details OVOC | IOM 5. Click Next until Networking section to configure the network settings, - 34 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-12: Network Settings OVOC | IOM a. From the Virtual Network and Subnet drop-down lists, select an existing virtual network/subnet or click Create new to create a new virtual network/subnet. b. From the Public IP drop-down list, configure "none", use the existing Public IP or create a new Public IP. If you do not wish the public IP address to change whenever the VM is stopped/started, choose Static SKU or Basic SKU + Static. c. Under Configure network security group, click Create new to configure a Network Security Group. Configure this group according to the Firewall rules shown in the table below. - 35 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM By default, only ports 22 and 443 are open for inbound traffic; open other ports for managing devices behind a NAT (outside the Azure environment) as described in the table below. Table 6-2: Microsoft Azure Firewall Protocol Port Description UDP 162 SNMP trap listening port on the OVOC server. UDP 1161 Keep-alive - SNMP trap listening port on the OVOC server used for NAT traversal. This rule is required if Auto-detection is used to add devices in OVOC. See Option 1: Connecting Mediant Cloud Edition (CE) SBC Devices to OVOC on Azure using Public IP Address on page 43 TCP 5000 Communication for control, media data reports and SIP call flow messages sent from Mediant Cloud Edition (CE) SBC. TCP (TLS) 5001 TLS secured communication for control, media data reports and SIP call flow messages sent from Mediant Cloud Edition (CE) SBC. This rule is used if the OVOC Server and managed devices (specifically Mediant CE devices) are deployed in separate Azure Virtual networks communicating behind a firewall. See Option 1: Connecting Mediant Cloud Edition (CE) SBC Devices to OVOC on Azure using Public IP Address on page 43 NTP 123 NTP server port (set the Microsoft Azure site IP address/Domain Name(where the OVOC server is installed) as the NTP server clock source. Referenced in procedures in Step 3 Connecting Mediant Cloud Edition (CE) Devices on page 43 6. Click Next until Review+Create tab, make sure all the settings are correct and click Create. - 36 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-13: Review and Create OVOC | IOM 7. Navigate to the "Virtual machines" section, where you can, for example, monitor the Virtual Machine creation process and find the Public or Private (Internal) IP addresses to access the Virtual Machine. Note the public or private (Internal) IP addresses as you need to configure them in Configuring the OVOC Server Manager on Azure (Public IP) on page 44 and Configuring the OVOC Server Manager on Azure (Internal IP) on page 47 respectively. - 37 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-14: Azure Deployment Process Complete OVOC | IOM Step 2: Configuring OVOC as the Email Server on Microsoft Azure This section describes how to configure the OVOC server as the Email server on Microsoft Azure. These steps are necessary in to overcome Microsoft Azure security restrictions for sending emails outside of the Microsoft Azure domain. The following options can be configured: Configuring Alarm Forwarding by Email on Microsoft Azure using Microsoft Office 365 Configuring Alarm Forwarding by Email on Microsoft Azure using SMTP Relay Step 2-1: Configuring OVOC as the Email Server on Microsoft Azure using Microsoft Office 365 This procedure describes how to configure the OVOC server to forward alarms by email through the configuration of a user account on the Microsoft Office 365 platform. Replace OFFICE365_USERNAME and PASSWORD with an existing customer's Office 365 username and password. The Office 365 user name is not necessarily the email address. Do the following: 1. Configure the Exim service on the OVOC server: a. Login into the OVOC server by SSH, as `acems' user and enter password acems. b. Switch to 'root' user and provide root password (default password is root): su - root c. Backup the exim configuration file: - 38 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM cp /etc/exim/exim.conf /etc/exim/exim.conf.bak d. Edit the exim configuration file: vim /etc/exim/exim.conf e. After the line "begin routers:" add the following configuration: begin routers send_via_outlook: driver = manualroute domains = ! +local_domains transport = outlook_smtp route_list = "* smtp.office365.com::587 byname" host_find_failed = defer no_more f. After the line "begin transports", add the following configuration: begin transports outlook_smtp: driver = smtp hosts = smtp.office365.com hosts_require_auth = <; $host_address hosts_require_tls = <; $host_address g. After the line "begin authenticators", replace Username and Password with your Office 365 username and password: begin authenticators outlook_login: driver = plaintext public_name = LOGIN client_send = : OFFICE365_USERNAME : PASSWORD h. Restart the exim service: systemctl restart exim - 39 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM If following the restart, the alarm forwarding is still not working, edit /root/.muttrc, and replace the default email address set from = OVOC@audiocodes.com with the proper email address of the owner of the OFFICE365_USERNAME account, because the Outlook SMTP server may block this default address if it verifies that the sender email does not match the specified mailbox user name. Step 2-2 Configuring OVOC as the Email Server on Microsoft Azure using SMTP Relay This procedure describes how to configure the OVOC server to forward alarms by email using SMTP Relay. This setup is recommended by Microsoft, and SendGrid is one of the available options. SendGrid service can be easily configured in the Azure Portal and in addition, includes a free tier subscription, supporting up to 25,000 emails per month. Do the following: 1. Create SendGrid service on the Azure platform: a. Open portal.azure.com b. Go to "SendGrid Accounts" section, ( via Search or in "All services" section). c. Click Add. d. Fill in the following fields: Name: Choose a name Password Subscription Resource Group (create a new one or choose existing) Pricing tier: choose Free or one of the other plans Contact Information Read legal terms e. Click Create. f. Wait for the service to be created. g. Go back to "SendGrid Accounts", click on the new account name h. Click the"Configurations" section in the Settings tab. i. Copy the Username it will be used in the next step along with the password (format azure_xxxxxxxx@azure.com) 2. Configure the Exim service on the OVOC server: a. Login into the OVOC server by SSH, as `acems' user and enter password acems. b. Switch to 'root' user and provide root password (default password is root): su - root - 40 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms c. Backup the exim configuration file: cp /etc/exim/exim.conf /etc/exim/exim.conf.bak d. Edit the exim configuration file: vim /etc/exim/exim.conf OVOC | IOM - 41 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM e. After the line "begin transports", add the following configuration: begin transports sendgrid_smtp: driver = smtp hosts = smtp.sendgrid.net hosts_require_auth = <; $host_address hosts_require_tls = <; $host_address f. After the line "begin routers", add the following configuration: begin routers send_via_sendgrid: driver = manualroute domains = ! +local_domains transport = sendgrid_smtp route_list = "* smtp.sendgrid.net::587 byname" host_find_failed = defer no_more g. After the line "begin authenticators", add the following configuration, replacing Username and Password with your SendGrid User/Pass: begin authenticators sendgrid_login: driver = plaintext public_name = LOGIN client_send = : Username : Password h. Save the file and exit back to the command line. i. Restart the Exim service. systemctl restart exim j. Check that the alarm forwarding by email functions correctly. You can access the SendGrid Web interface using the same username/password, where among other features you can find an Activity log, which may be useful for verifying issues such as when emails are sent correctly; however, are blocked by a destination email server. - 42 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM Step 3 Connecting Mediant Cloud Edition (CE) Devices This section describes how to connect Mediant Cloud Edition (CE) devices to OVOC using one of the following options: Option 1: Connecting Mediant Cloud Edition (CE) SBC Devices to OVOC on Azure using Public IP Address below Option 2 Connecting Mediant Cloud Edition (CE) Devices to OVOC on Azure using Internal IP Address on page 46 Option 1: Connecting Mediant Cloud Edition (CE) SBC Devices to OVOC on Azure using Public IP Address This section describes how to establish a secure connection between the OVOC server and Mediant Cloud Edition (CE) SBC devices which are both deployed in the Azure Cloud in separate Virtual networks. Communication between OVOC and Mediant CE SBC devices is carried over the public IP addresses on both sides, requiring NAT translation from internal to public IP addresses. This is performed by configuring the OVOC server with the public IP address of the Azure platform where the OVOC server is installed (see Configure OVOC Server with Public or NAT IP Address on page 114). The figure below illustrates this topology. The Mediant CE SBC devices must be added to OVOC using Automatic Detection. Refer to Section "Adding AudioCodes Devices Automatically" in the OVOC User's Manual. Figure 6-15: Microsoft Azure Topology This section includes the following procedures: 1. Configuring the OVOC Server Manager on Azure (Public IP) on the next page - 43 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM 2. Configuring Mediant Cloud Edition (CE) SBC Devices on Azure (Public IP) below Configuring the OVOC Server Manager on Azure (Public IP) This section describes the required configuration actions on the OVOC server deployed in the Azure Cloud. Restart the OVOC server where specified in the referenced procedures for changes to take effect. To configure the OVOC server: 1. Login to the OVOC Server Manager (see Connecting to the OVOC Server Manager on page 163). 2. Change the following default passwords: acems OS user (see OS Users Passwords on page 227) root OS user (see OS Users Passwords on page 227) Unless you have made special configurations, the Azure instance is in the public cloud and therefore is accessible over the Internet. Consequently, it is highly recommended to change theses default passwords to minimize exposure to password hacking. 3. Load the OVOC license (see License on page 183). 4. Configure the OVOC server with Azure Public IP address to enable devices deployed behind a NAT to connect to OVOC (see Configure OVOC Server with Public or NAT IP Address on page 114). See the setup of the virtual machine to find the Azure Public IP (see Creating OVOC Virtual Machine and Configuring Microsoft Azure on page 31 5. Configure the Azure IP address/Domain Name (where OVOC is installed) as the external NTP clock source (see NTP on page 211). The same clock source should be configured on the managed devices (see Configuring Mediant CE OVOC Public IP Connection Settings using Web Interface on the next page). Configuring Mediant Cloud Edition (CE) SBC Devices on Azure (Public IP) This step describes the following configuration procedures on the Mediant CE to connect to the OVOC server that is deployed in the Azure Cloud: 1. Configuring Mediant CE SNMP Public IP Connection using Stack Manager on the next page 2. Configuring Mediant CE OVOC Public IP Connection Settings using Web Interface on the next page - 44 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM Configuring Mediant CE SNMP Public IP Connection using Stack Manager This step describes how to configure the SNMP communication between the OVOC server deployed in the Azure Cloud and the Mediant CE using the Stack Manager. To configure the Stack Manager: 1. Log in to the Web interface of the Stack Manager that was used to create Mediant Cloud Edition (CE) SBC. Refer to Stack Manager for Mediant CE SBC User's Manual. 2. Click the "Mediant CE stack". 3. Click the Modify button and append 161/udp port (for SNMP traffic) to "Management Ports" parameter. 4. Click Update to apply the new configuration. Figure 6-16: Modify Stack Configuring Mediant CE OVOC Public IP Connection Settings using Web Interface This section describes how to configure the communication settings between the Mediant CE device and the OVOC server deployed in the Azure Cloud. - 45 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM The following procedure describes the required configuration for a single CE SBC device. For mass deployment, you can load configuration files to multiple devices using 'Full' or 'Incremental' INI file options (refer to the relevant SBC User's Manual for more information). To configure the Mediant Cloud Edition (CE) SBC : 1. Login to the Mediant Cloud Edition (CE) SBC Web interface or connect from the Devices page in the OVOC Web interface. 2. Open the Quality of Experience Settings screen (Setup Menu > Signaling & Media tab > Media folder > Quality of Experience > Quality of ExperienceSettings). 3. Click Edit and configure the Keep-Alive Time Interval to 1. 4. Click Apply to confirm the changes. 5. Open the TIME & DATE page (Setup menu > Administration tab ) and in the NTP Server Address field, set the Microsoft Azure site IP address/Domain Name(where the OVOC server is installed) as the NTP server clock source. 6. Click Apply to confirm the changes. 7. Open the SNMP Community Settings Page (Setup menu > Administration tab > SNMP folder). 8. Set parameter SNMP Disable to No ('Yes' by default). 9. Click Apply to confirm changes. 10. Open the Mediant Cloud Edition (CE) SBC AdminPage (deviceIPaddress/AdminPage) and configure the following ini parameters: HostName = <Load Balancer IP> SendKeepAliveTrap = 1 KeepAliveTrapPort = 1161 SNMPManagerIsUsed_0 = 1 SNMPManagerTableIP_0 = <OVOC Public IP Address> 11. Reset the device for your settings to take effect (Setup menu > Administration tab > Maintenance folder > Maintenance Actions). Option 2 Connecting Mediant Cloud Edition (CE) Devices to OVOC on Azure using Internal IP Address This section describes how to establish a secure connection between the OVOC server and Mediant CE devices which are both deployed in the Azure Cloud in the same Virtual network. Communication between OVOC and Mediant CE SBC devices is carried over internal IP addresses (Private IP addresses) on both sides. The figure below illustrates this topology. - 46 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM The Mediant CE SBC devices must be added manually to OVOC. Refer to Section "Adding AudioCodes Devices Manually " in the OVOC User's Manual. Figure 6-17: Internal IP Connection This section includes the following procedures: Configuring the OVOC Server Manager on Azure (Internal IP) below Configuring Mediant Cloud Edition (CE) SBC Devices on Azure (Internal IP) on the next page The Mediant CE SBC devices must be added to OVOC manually. Refer to Section "Adding AudioCodes Devices Manually" in the OVOC User's Manual. Configuring the OVOC Server Manager on Azure (Internal IP) This section describes the required configuration actions on the OVOC server deployed in the Azure Cloud when CE devices are deployed in the same Virtual network. Restart the OVOC server where specified in the referenced procedures for changes to take effect. - 47 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM To configure the OVOC server: 1. Login to the OVOC Server Manager (see Connecting to the OVOC Server Manager on page 163). 2. Change the following default passwords: acems OS user (see OS Users Passwords on page 227) root OS user (see OS Users Passwords on page 227) Unless you have made special configurations, the Azure instance is in the public cloud and therefore is accessible over the Internet. Consequently, it is highly recommended to change theses default passwords to minimize exposure to password hacking. 3. Load the OVOC license (see License on page 183). 4. Configure the OVOC server with its internal (private) IP address to enable devices deployed in the same Azure Virtual network to connect to OVOC (see Server IP Address on page 195). See the setup of the virtual machine Step 1: Creating Virtual Machine on Azure on page 32 to find the Azure Internal IP. 5. Configure the Azure IP address/Domain Name (where OVOC is installed) as the external NTP clock source (see NTP on page 211). The same clock source should be configured on the managed devices (see Configuring Mediant CE OVOC Internal IP Connection Settings using Web Interface on the next page Configuring Mediant Cloud Edition (CE) SBC Devices on Azure (Internal IP) This step describes the following configuration procedures on the Mediant CE to connect to the OVOC server that is deployed in the Azure Cloud in the same Virtual network by connecting through internal IP addresses on both sides: Configuring Mediant CE SNMP Internal IP Connection with OVOC using Stack Manager below Configuring Mediant CE OVOC Internal IP Connection Settings using Web Interface on the next page Configuring Mediant CE SNMP Internal IP Connection with OVOC using Stack Manager This step describes how to configure the SNMP communication between the OVOC server and Mediant CE devices using the Stack Manager when both are deployed in the same Azure Virtual network. To configure the Stack Manager: 1. Log in to the Web interface of the Stack Manager that was used to create Mediant Cloud Edition (CE) SBC. Refer to Stack Manager for Mediant CE SBC User's Manual. - 48 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM 2. Click the "Mediant CE stack". 3. Click the Modify button and append 161/udp port (for SNMP traffic) to "Management Ports" parameter. 4. Click Update to apply the new configuration. Figure 6-18: Modify Stack Configuring Mediant CE OVOC Internal IP Connection Settings using Web Interface This section describes how to configure the connection settings between the Mediant CE device and the OVOC server deployed in the Azure Cloud in the same Virtual network. - 49 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM The following procedure describes the required configuration for a single CE SBC device. For mass deployment, you can load configuration files to multiple devices using 'Full' or 'Incremental' INI file options (refer to the relevant SBC User's Manual for more information). To configure the Mediant Cloud Edition (CE) SBC: 1. Login to the Mediant Cloud Edition (CE) SBC Web interface or connect from the Devices page in the OVOC Web interface. 2. Open the TIME & DATE page (Setup menu > Administration tab ) and in the NTP Server Address field, set the Microsoft Azure site IP address/Domain Name(where the OVOC server is installed) as the NTP server clock source. 3. Click Apply to confirm the changes. 4. Open the SNMP Community Settings Page (Setup menu > Administration tab > SNMP folder). 5. Set parameter SNMP Disable to No ('Yes' by default). 6. Click Apply to confirm changes. 7. Open the Mediant Cloud Edition (CE) SBC AdminPage (deviceIPaddress/AdminPage) and configure the following ini parameters: HostName = <Load Balancer IP> SNMPManagerIsUsed_0 = 1 SNMPManagerTableIP_0 = <OVOC Server Internal IP> 8. Reset the device for your settings to take effect (Setup menu > Administration tab > Maintenance folder > Maintenance Actions). Step 4 Registering Microsoft Teams Application This procedure describes how to register the Microsoft Teams application that is used for retrieving Call Notifications for the managed Microsoft Teams tenant. To register the application: 1. Open the Azure Portal, the Overview page is displayed with the Tenant ID of the managed Teams tenant. - 50 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-19: Tenant ID OVOC | IOM 2. In the Navigation pane, select App registrations. Figure 6-20: App Registrations 3. Click New registration. Figure 6-21: New registration 4. Enter the name of the application and then click Register. - 51 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-22: Name the application OVOC | IOM Figure 6-23: Successful Registration 5. In the Navigation pane select Certificate & Secrets. - 52 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-24: Certificate & Secrets OVOC | IOM 6. Click New client secret. Figure 6-25: New Client Secret 7. Click Add. The newly added client secret is added as shown in the figure below. - 53 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-26: Add a client secret OVOC | IOM 8. The client secret is added as shown in the screen below. Copy it to the clipboard as you will be required to enter it in later configuration. Figure 6-27: Added Certificates & Secrets Step 5 Configuring Microsoft Graph API Permissions This procedure describes how to configure the appropriate permissions to connect to Microsoft Graph API that is used to interface with Microsoft Teams to retrieve the Call Notifications. To configure Microsoft Graph permissions: 1. In the Navigation pane, select API permissions. - 54 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-28: API Permissions OVOC | IOM 2. Click Add a permission. Figure 6-29: Add a permission 3. Select Grant Admin Consent for .... and select Yes. If the App hasn't been granted admin consent, users are prompted to grant consent the first time they use the App. 4. Select Microsoft Graph. - 55 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-30: Request API Permissions OVOC | IOM 5. Select Application permissions. Figure 6-31: Application permissions 6. Search for Permission Call Records. Figure 6-32: Call Records 7. Set permission CallRecords.Read.All to enable access to retrieved call notifications. - 56 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-33: API Permissions OVOC | IOM 8. You can optionally set permission User.Read to display caller details in retrieved call records. Figure 6-34: User Read Permissions Step 6 Configuring AudioCodes Azure Active Directory (Operator Authentication) This procedure describes how to configure security permissions for OVOC operators who are authenticated with Azure Active Directory (when the "Azure" authentication type is configured in the OVOC Web (Security > Authentication settings page). To configure Microsoft Azure: 1. Add Service Providers Account Domain: a. Open the Microsoft 365 Admin Center. b. Login to AudioCodes with administrator privileges (via office.com). - 57 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms c. In the Navigation pane, select Setup > Domains Figure 6-35: Domains OVOC | IOM 2. Create a new Tenant in the Azure Portal: Sign into Azure portal as Global Administrator and extract the Tenant ID of your directory (required for the OVOC Azure authentication setup in OVOC Azure Configuration). For details, see https://docs.microsoft.com/en-us/azure/activedirectory/develop/quickstart-create-new-tenant 3. Add Tenant Operators on AudioCodes Microsoft Azure: You must change passwords for new users upon first login via Azure portal sign-in before logging in to OVOC. At this stage guest users you invite from another tenants/directories are not fully supported by OVOC. For details, refer to the following: https://docs.microsoft.com/en-us/azure/activedirectory/fundamentals/active-directory-groups-create-azure-portal#create-abasic-group-and-add-members https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/addusers-azure-active-directory#add-a-new-user 4. Add Security Groups: a. Open AudioCodes Office 365. b. Open the Admin page. c. In the Navigation pane, select Groups. - 58 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-36: Add a Security Group OVOC | IOM A list of existing groups are displayed. Note that there are several predefined custom security groups that have been predefined for OVOC displayed in the screen below with `EMS_' prefix. d. Click Add a group. e. Select the Security option and then click Next. Figure 6-37: Choose a Group Type f. Enter the Service Provider Domain account name and then click Next. - 59 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-38: Setup the Basics OVOC | IOM g. Review and finish adding group. Figure 6-39: Review and Finish h. Click Create group. A confirmation screen is displayed: Figure 6-40: New Group Created - 60 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms 5. Add New Users: a. In the Navigation pane, select Active Users. b. Click Add a User. c. Enter the details of the Service Provider account user. Figure 6-41: Create New User OVOC | IOM d. Assign Product License (Choose country). Figure 6-42: Assign Product Licenses e. Select option create user without product license and then click Next. - 61 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-43: Review and finish OVOC | IOM f. Click Finish adding. g. Select option create user without product license and then click Next. Figure 6-44: Review and Finish h. Click Finish adding 6. Add User Membership: add user membership to the predefined One Voice Live Security groups and to the Security Group that you defined above. a. In the Navigation pane, select Active Users and then select the new user that you created above. - 62 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-45: Add User Membership OVOC | IOM b. Click Manage groups and then Add Membership. Figure 6-46: Add Membership c. Select the checkboxes adjacent to the required OVOC group permissions : EMS_Tenant_Admin_Links EMS_Tenant_Operator_Links EMS_Tenant_Monitor_Links d. Add membership to the Service Provider Account Group i.e. the Security Group that you created above. In the example below membership has been added to the `EMS_Operator' and `SouthVoIP' Group. - 63 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms Figure 6-47: Add Membership OVOC | IOM This Group Name corresponds to the "AD Authentication: Group Name" that is configured for the OVOC Tenant created for this account in OVOC. e. Click Save and close. Figure 6-48: Successful Membership Assignment 7. Register new WEB Application: See https://docs.microsoft.com/en-us/azure/activedirectory/develop/quickstart-register-app. The Redirect URI step should be configured like WEB and OVOC's login endpoint should be specified as URI: https://<IP address>/ovoc/v1/security Generally for this step you should only keep the Client ID of your application that you need to specify in OVOC Microsoft Azure authentication setup (see Authentication and Authorization using Microsoft Azure). 8. Create Client Secret for your Registered Application: See https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configureapp-access-web-apis#add-credentials-to-your-web-application. You must configure this secret in Authentication and Authorization using Microsoft Azure. - 64 - CHAPTER 6 Installing OVOC Server on Virtual Machines on Cloud-based Platforms OVOC | IOM 9. Grant API Permissions: Extend default application's permissions set and give admin consent to all the existing permissions. Add and provide admin consent to such delegated Microsoft Graph API related permissions: Group.Read.All. For more details, refer to the following: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstartconfigure-app-access-web-apis#add-permissions-to-access-web-apis https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstartconfigure-app-access-web-apis#understanding-api-permissions-and-admin-consent-ui - 65 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM 7 Installing OVOC Server on VMware Virtual Machine This describes how to install the OVOC server on a VMware vSphere machine. This procedure takes approximately 30 minutes. This time is estimated on the HP DL 360 G8 platform (with CPU, disk and memory as specified in Configuring the Virtual Machine Hardware Settings on page 85). The upgrade time depends on the hardware machine where the VMware vSphere platform is installed. Before proceeding, ensure that the minimum platform requirements are met (see Hardware and Software Specifications on page 8). Failure to meet these requirements will lead to the aborting of the installation. For obtaining the installation files, see OVOC Software Deliverables on page 15 Note that you must verify this file, see Files Verification on page 18 Deploying OVOC Image with VMware vSphere Hypervisor (ESXi) This section describes how to deploy the OVOC image with the VMware ESXi Web client. This procedure is run using the VMware OVF tool that can be installed on any Linux machine. This procedure describes how to deploy the image using the OVF tool, which can be downloaded from: https://www.vmware.com/support/developer/ovf/ The OVOC image can also be deployed using the vSphere web client GUI. To run VMware OVF tool: 1. Transfer the 7z file containing the VMware Virtual Machine installation package that you received from AudioCodes to your PC (see Appendix Transferring Files on page 295 for instructions on how to transfer files). 2. Open the VMware OVF tool. 3. Enter the following commands and press Enter: ovftool --disableVerification --noSSLVerify --name=$VMname -datastore=$DataStore -dm=thin --acceptAllEulas --powerOn $ovaFilePath vi://$user:$password@$vCenterIP/$dataCenterName/host/$clusterName/$E SXIHostName Where: $VMname(--name): is the name of the deployed machine $DataStore: data store for deployment - 66 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM $user:$password is the user and password of the VMware Host machine $vCenterIP: vCenter IP Address $dataCenterName: data center name inside the vCenter $clusterName: cluster name under data center tree $ESXIHostName: deployed ESXI IP Address Example: ovftool --disableVerification --noSSLVerify --name=ovoctest -datastore=Netapp04.lun1 -dm=thin --acceptAllEulas --powerOn c:\tmp\OVOC_VMware_7.8.2241.ova vi://vmware:P@ssword123@10.3.94.68/QASWDatacenter/host/qaswCluster 01/10.3.180.211 Figure 7-1: OVF Example The following progress is displayed: Opening OVA source: /data1/ 8.0.110/DVD5/ 8.0.110.xxxx/OVOC-VMware8.0.110.xxxx.ova Opening VI target: vi://root@172.17.135.9:443/ Deploying to VI: vi://root@172.17.135.9:443/ Disk progress: 10% Transfer Completed The manifest validates Powering on VM: FirstDeploy Task Completed Warning: - No manifest entry found for: 'OVOC-VMware- 8.0.110.xxxx-disk1.vmdk'. Completed successfully - 67 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM Deploying OVOC Image with VMware vSphere Hypervisor (ESXi) in Service Provider Cluster This procedure describes how to deploy the OVOC image with VMware vSphere Hypervisor (ESXi) in Service Provider Cluster. The procedure requires you to perform the following steps: 1. On existing OVOC server VM, perform full backup and upgrade to version 8.0.110 (see Step 1 Upgrade Existing Virtual Machine below) 2. On a new VM, install version 8.0.110 Service Provider Cluster Management OVA and restore the backup created in step 1 (seeStep 2 Install Service Provider Cluster on Management Server on page 70) 3. On a new VM, install version 8.0.110 Service Provider Cluster VQM OVA (seeStep 3 Install VQM Server on page 71) 4. On a new VM, install version 8.0.110 Service Provider Cluster PM OVA (see Step 4 Install PM Server on page 71) Step 1 Upgrade Existing Virtual Machine Before installing the Service Provider Cluster, you must upgrade your existing virtual machine to OVOC Version 8.0.110 Before starting the installation, it is highly recommended to configure the SSH client (e.g. Putty application) to save the session output into a log file. To upgrade existing OVOC server VM: 1. Using the WinSCP utility (see Transferring Files on page 295), copy the DVD3.ISO file for OVOC Version 8.0.110 that you saved to your PC in Step 1: Setup the Virtual Machine on page 122 to the OVOC server acems user home directory: /home/acems 2. Open an SSH connection or the VM console. 3. Login into the OVOC server as `acems' user with password acems (or customer defined password). 4. Switch to 'root' user and provide root password (default password is root): su root 5. Mount the CDROM to make it available: mount /home/acems/DVD3_OVOC_ 8.0.110.iso /mnt cd /mnt/EmsServerInstall/ - 68 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine 6. Run the installation script from its location: ./install Figure 7-2: OVOC server Installation Script OVOC | IOM 7. Enter y, and then press Enter to accept the License agreement. Figure 7-3: OVOC server Upgrade License Agreement 8. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: - 69 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM If you are prompted to reboot, press Enter to reboot the OVOC server and then repeat steps 2-7 (inclusive). If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. below Figure 7-4: OVOC Server Installation Complete 9. Wait for the installation to complete and reboot the OVOC server by typing reboot. 10. Schedule full backup of the OVOC server to the nearest possible time (see Change Schedule Backup Time on page 157) and then verify that all necessary files have been generated (see OVOC Server Backup Processes on page 156). Step 2 Install Service Provider Cluster on Management Server This procedure describes how to deploy the OVOC image with VMware vSphere Hypervisor (ESXi) in a Service Provider Cluster configuration on the new virtual machine that is designated as the Management server. The procedure describes how to deploy the OVOC image with the VMware ESXi Web client using the OVF tool, which can be downloaded from: https://www.vmware.com/support/developer/ovf/ and installed on any Linux machine. The OVOC image can also be deployed using the vSphere web client GUI. You must install the Management server prior to installing the VQM and PM servers. Refer to OVOC Software Deliverables on page 15 for information on media deliverables. To install Service Provider Cluster (Management server): 1. On the new virtual machine: Transfer the 7z file containing the VMware Virtual Machine Management installation package that you received from AudioCodes to your PC (see Appendix Transferring Files on page 295 for instructions on how to transfer files). 2. Run the VMware OVF tool (see Deploying OVOC Image with VMware vSphere Hypervisor (ESXi) on page 66 3. After the VM has been created, Inflate Thin Virtual Disk. For Instructions: https://docs.vmware.com/en/VMwarevSphere/6.0/com.vmware.vsphere.storage.doc/GUID-C371B88F-C407-4A69-8F3BFA877D6955F8.html 4. Restore the backup that you created in Step 1 Upgrade Existing Virtual Machine on page 68 (see OVOC Server Restore on page 158). 5. Configure Service Provider Cluster mode (see Service Provider Cluster on page 188). - 70 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM 6. Install VQM and PM servers (see Step 3 Install VQM Server below and Step 4 Install PM Server below). Step 3 Install VQM Server This procedure describes how to install the Service Provider Cluster mode on the new virtual machine that is designated for the VQM Server. The OVOC image can also be deployed using the vSphere web client GUI. Refer to OVOC Software Deliverables on page 15 for information on media deliverables. You must install the Management server prior to installing the VQM server (see Step 2 Install Service Provider Cluster on Management Server on the previous page). To install VQM server: 1. On the new virtual machine: Transfer the 7z file containing the VMware Virtual Machine VQM installation package that you received from AudioCodes to your PC (see Appendix Transferring Files on page 295 for instructions on how to transfer files). 2. Run the VMware OVF tool (see Deploying OVOC Image with VMware vSphere Hypervisor (ESXi) on page 66 3. After the VM has been created, Inflate Thin Virtual Disk. For Instructions: https://docs.vmware.com/en/VMwarevSphere/6.0/com.vmware.vsphere.storage.doc/GUID-C371B88F-C407-4A69-8F3BFA877D6955F8.html Step 4 Install PM Server This procedure describes how to install the Service Provider Cluster mode on the new virtual machine that is designated for the PM Server. The OVOC image can also be deployed using the vSphere web client GUI. Refer to OVOC Software Deliverables on page 15 for information on media deliverables. You must install the Management server prior to installing the PM server (seeStep 2 Install Service Provider Cluster on Management Server on the previous page) To install the PM server: 1. On the new virtual machine: Transfer the 7z file containing the VMware Virtual Machine PM installation package that you received from AudioCodes to your PC (see Appendix Transferring Files on page 295 for instructions on how to transfer files). 2. Run the VMware OVF tool (see Deploying OVOC Image with VMware vSphere Hypervisor (ESXi) on page 66). - 71 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM 3. After the VM has been created, Inflate Thin Virtual Disk. For Instructions: https://docs.vmware.com/en/VMwarevSphere/6.0/com.vmware.vsphere.storage.doc/GUID-C371B88F-C407-4A69-8F3BFA877D6955F8.html Configuring the Virtual Machine Hardware Settings This section shows how to configure the Virtual Machine's hardware settings. Before starting this procedure, select the required values for your type of installation (high or low profile) and note them in the following table for reference. For the required VMware Disk Space allocation, CPU, and memory, see Hardware and Software Specifications on page 8. Table 7-1: Virtual Machine Configuration Required Parameter Value Disk size Memory size CPU cores To configure the virtual machine hardware settings: 1. Before powering up the machine, go to the virtual machine Edit Settings option. Figure 7-5: Edit Settings option - 72 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM 2. In the CPU, Memory and Hardware tabs set the required values accordingly to the desired OVOC server VMware Disk Space allocation. ( Hardware and Software Specifications on page 8), and then click OK. Figure 7-6: CPU, Memory and Hard Disk Settings Once the hard disk space allocation is increased, it cannot be reduced to a lower amount. If you wish to create OVOC VMs in a cluster environment supporting High Availability and you are using shared network storage, then ensure you provision a VM hard drive on the shared network storage on the cluster (Configuring OVOC Virtual Machines (VMs) in a VMware Cluster below). 3. Wait until the machine reconfiguration process has completed. Figure 7-7: Recent Tasks Configuring OVOC Virtual Machines (VMs) in a VMware Cluster This section describes how to configure OVOC VMs in a VMware cluster. VMware Cluster Site Requirements Ensure that your VMware cluster site meets the following requirements: The configuration process assumes that you have a VMware cluster that contains at least two ESXi servers controlled by vCenter server. - 73 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM The clustered VM servers should be connected to a shared network storage of type iSCSI or any other types supported by VMware ESXi. For example, a datastore "QASWDatacenter" which contains a cluster named "qaswCluster01" and is combined of two ESXi servers ( figure below). Verify that Shared Storage is defined and mounted for all cluster members: Figure 7-8: Storage Adapters Ensure that the 'Turn On vSphere HA' check box is selected: Figure 7-9: Turn On vSphere HA Ensure that HA is activated on each cluster node: - 74 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine Figure 7-10: Activate HA on each Cluster Node OVOC | IOM Ensure that the networking configuration is identical on each cluster node: Figure 7-11: Networking Ensure that the vMotion is enabled on each cluster node. The recommended method is to use a separate virtual switch for vMotion network (this should be defined in all cluster nodes and interconnected): - 75 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine Figure 7-12: Switch Properties OVOC | IOM A VM will be movable and HA protected only when its hard disk is located on shared network storage on a cluster. You should choose an appropriate location for the VM hard disk when you deploy the OVOC VM. If your configuration is performed correctly, a VM should be marked as "protected" as is shown in the figure below: Figure 7-13: Protected VM If you wish to manually migrate the OVOC VMs to another cluster node, see Managing Clusters on page 278. Cluster Host Node Failure on VMware In case a host node where the VM is running fails, the VM is restarted on the redundant cluster node automatically. - 76 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM When one of the cluster nodes fail, the OVOC VM is automatically migrated to the redundant host node. During this process, the OVOC VM is restarted and consequently any active OVOC process is dropped. The migration process may take several minutes. Connecting OVOC Server to Network on VMware After installation, the OVOC server is assigned a default IP address that will most likely be inaccessible from the customer's network. This address is assigned to the first virtual network interface card connected to the 'trusted' virtual network switch during the OVOC server installation. You need to change this IP address to suit your IP addressing scheme. To connect to the OVOC server: 1. Power on the machine; in the vCenter tree, right-click the AudioCodes One Voice Operations Center node (vOC) and in the drop-down menu, choose Power > Power On. Upon the initial boot up after reconfiguring the disk space, the internal mechanism configures the server installation accordingly to version specifications (Hardware and Software Specifications on page 8). Figure 7-14: Power On 2. Wait until the boot process has completed, and then connect the running server through the vSphere client console. 3. Login into the OVOC server by SSH, as `acems' user and enter acems password. 4. Switch to 'root' user and provide root password (default password is root): su - root 5. Proceed to the network configuration using the OVOC Server Manager. 6. Type the following command and press Enter. # EmsServerManager - 77 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine OVOC | IOM 7. Verify that all processes are up and running (Viewing Process Statuses on page 169) and verify login to OVOC Web client is successful. 8. Set the OVOC server network IP address to suit your IP addressing scheme (Server IP Address on page 195). 9. If you are installing the Service Provider Cluster mode, see Service Provider Cluster on page 188 10. Perform other configuration actions as required using the OVOC Server Manager (Getting Started on page 163). - 78 - CHAPTER 7 Installing OVOC Server on VMware Virtual Machine This page is intentionally left blank. OVOC | IOM - 79 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine OVOC | IOM 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine This section describes how to install the OVOC server on a Microsoft Hyper-V virtual machine. Before proceeding, ensure that the minimum platform requirements are met (see .Hardware and Software Specifications on page 8). Failure to meet these requirements will lead to the aborting of the installation. For obtaining the installation files, see OVOC Software Deliverables on page 15 Note that you must also verify the ISO file, see Files Verification on page 18 To install the OVOC server on Microsoft Hyper-V: 1. Transfer the ISO file containing the Microsoft Hyper-V Virtual Machine installation package that you received from AudioCodes to your PC (see Appendix Transferring Files on page 295 for instructions on how to transfer files). 2. Open Hyper-V Manager by clicking Start > Administrative Tools > Hyper-V Manager; the following screen opens: Figure 8-1: Installing the OVOC server on Hyper-V Hyper-V Manager 3. Start the Import Virtual Machine wizard: click the Action tab, and then select Import Virtual Machine from the menu; the Import Virtual Machine screen shown below opens: - 80 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine OVOC | IOM Figure 8-2: Installing OVOC server on Hyper-V Import Virtual Machine Wizard 4. Click Next; the Locate Folder screen opens: - 81 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-3: Installing OVOC server on Hyper-V Locate Folder OVOC | IOM 5. Enter the location of the VM installation folder (extracted from the ISO file), and then click Next; the Select Virtual Machine screen opens. 6. Select the virtual machine to import, and then click Next; the Choose Import Type screen opens: - 82 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-4: Installing OVOC server on Hyper-V Choose Import Type OVOC | IOM 7. Select the option ''Copy the virtual machine (create a new unique ID)'', and then click Next; the Choose Folders for Virtual Machine Files screen opens: - 83 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-5: Installing OVOC server on Hyper-V Choose Destination OVOC | IOM 8. Select the location of the virtual hard disk, and then click Next; the Choose Storage Folders screen opens: - 84 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-6: Installing OVOC server on Hyper-V Choose Storage Folders OVOC | IOM 9. Select the Storage Folder for the Virtual Hard Disk, and then click Next; the Summary screen opens. 10. Click Finish to start the creation of the VM; a similar installation progress indicator is shown: Figure 8-7: File Copy Progress Bar This process may take approximately 30 minutes to complete. 11. Proceed to Configuring the Virtual Machine Hardware Settings below. Configuring the Virtual Machine Hardware Settings This section shows how to configure the Virtual Machine's hardware settings. Before starting this procedure, select the required values for your type of installation (high or low profile) and note them in the following table for reference. For the required VMware Disk Space allocation, CPU, and memory, see Hardware and Software Specifications on page 8. - 85 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine OVOC | IOM Table 8-1: Virtual Machine Configuration Required Parameter Value Disk size Memory size CPU cores To configure the VM for OVOC server: 1. Locate the new OVOC server VM in the tree in the Hyper-V Manager, right-click it, and then select Settings; the Virtual Machine Settings screen opens: Figure 8-8: Adjusting VM for OVOC server Settings - Memory 2. In the Hardware pane, select Memory, as shown above, enter the 'Startup RAM' parameter as required, and then click Apply. - 86 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine OVOC | IOM 3. In the Hardware pane, select Processor; the Processor screen shown in the figure below opens. Figure 8-9: Adjusting VM for OVOC server - Settings - Processor 4. Set the 'Number of virtual processors' parameters as required. 5. Set the 'Virtual machine reserve (percentage)' parameter to 100%, and then click Apply. Once the hard disk space allocation is increased, it cannot be reduced. If you wish to create OVOC VMs in a Cluster environment that supports High Availability and you are using shared network storage, then ensure you provision a VM hard drive on the shared network storage on the cluster (Configuring OVOC Virtual Machines in a Microsoft Hyper-V Cluster on page 93). Expanding Disk Capacity The OVOC server virtual disk is provisioned by default with a minimum volume. In case a higher capacity is required for the target OVOC server then the disk can be expanded. - 87 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine To expand the disk size: 1. Make sure that the target OVOC server VM is not running - Off state. 2. Select the Hard Drive, and then click Edit. Figure 8-10: Expanding Disk Capacity OVOC | IOM The Edit Virtual Disk Wizard is displayed as shown below. - 88 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-11: Edit Virtual Hard Disk Wizard OVOC | IOM 3. Click Next; the Choose Action screen is displayed: - 89 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-12: Edit Virtual Hard Disk Wizard-Choose Action OVOC | IOM 4. Select the Expand option, and then click Next; the Expand Virtual Hard Disk screen opens. - 90 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-13: Edit Virtual Hard Disk Wizard-Expand Virtual Hard Disk OVOC | IOM 5. Enter the required size for the disk, and then click Next; the Summary screen is displayed. - 91 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-14: Edit Virtual Hard Disk Wizard-Completion OVOC | IOM 6. Verify that all of the parameters have been configured, and then click Finish. The settings window will be displayed. 7. Click OK to close. Changing MAC Addresses from 'Dynamic' to 'Static' By default, the MAC addresses of the OVOC server Virtual Machine are set dynamically by the hypervisor. Consequently, they might be changed under certain circumstances, for example, after moving the VM between Hyper-V hosts. Changing the MAC address may lead to an invalid license. To prevent this from occurring, MAC Addresses should be changed from 'Dynamic' to 'Static'. To change the MAC address to 'Static' in Microsoft Hyper-V: 1. Shutdown the OVOC server ( Shutdown the OVOC Server Machine on page 193). 2. In the Hardware pane, select Network Adapter and then Advanced Features. 3. Select the MAC address 'Static' option. 4. Repeat steps 2 and 3 for each network adapter. - 92 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-15: Advanced Features - Network Adapter Static MAC Address OVOC | IOM Configuring OVOC Virtual Machines in a Microsoft Hyper-V Cluster This section describes how to configure OVOC VMs in a Microsoft Hyper-V cluster for HA. Hyper-V Cluster Site Requirements Ensure that your Hyper-V cluster site meets the following requirements: The configuration process assumes that your Hyper-V failover cluster contains at least two Windows nodes with installed Hyper-V service. The cluster should be connected to a shared network storage of iSCSI type or any other supported type. For example, "QAHyperv" contains two nodes. - 93 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-16: Hyper-V-Failover Cluster Manager Nodes OVOC | IOM The OVOC VM should be created with a hard drive which is situated on a shared cluster storage. Add the OVOC VM in Failover Cluster Manager After you create the new OVOC VM, you should add the VM to a cluster role in the Failover Cluster Manager. To add the OVOC VM in Failover Cluster Manager: 1. Right-click "Roles" and in the pop up menu, choose Configure Role: Figure 8-17: Configure Role 2. In the Select Role window, select the Virtual Machine option and then click Next. - 94 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine Figure 8-18: Choose Virtual Machine OVOC | IOM A list of available VMs are displayed; you should find the your new created OVOC VM: Figure 8-19: Confirm Virtual Machine - 95 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine 3. Select the check box, and then click Next. At the end of configuration process you should see the following: Figure 8-20: Virtual Machine Successfully Added OVOC | IOM 4. Click Finish to confirm your choice. Now your OVOC VM is protected by the Windows High Availability Cluster mechanism. If you wish to manually move the OVOC VMs to another cluster node, see Appendix Managing Clusters on page 278. Cluster Host Node Failure on Hyper-V In case a host node where the VM is running fails, then the VM is restarted on the redundant cluster host node automatically. When one of the cluster hosts fails, the OVOC VM is automatically moved to the redundant server host node. During this process, the OVOC VM is restarted and consequently any running OVOC process are dropped. The move process may take several minutes. Connecting OVOC Server to Network on HyperV After installation, the OVOC server is assigned, a default IP address that will most likely be inaccessible from the customer's network. This address is assigned to the first virtual network - 96 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine OVOC | IOM interface card connected to the 'trusted' virtual network switch during the OVOC server installation. You need to change this IP address to suit your IP addressing scheme. To reconfigure the OVOC server IP address: 1. Start the OVOC server virtual machine, on the Hyper-V tree, right-click the OVOC server, and then in the drop-down menu, choose Start. Figure 8-21: Power On Virtual Machine 2. Connect to the console of the running server by right-clicking the OVOC server virtual machine, and then in the drop-down menu, choose Connect. Figure 8-22: Connect to OVOC server Console 3. Login into the OVOC server by SSH, as `acems' user and enter password acems. - 97 - CHAPTER 8 Installing OVOC Server on Microsoft Hyper-V Virtual Machine OVOC | IOM 4. Switch to 'root' user and provide root password (default password is root): su - root 5. Start the OVOC Server Manager utility by specifying the following command: # EmsServerManager 6. Verify that all processes are up and running (Viewing Process Statuses on page 169) and verify login to OVOC Web client is successful. 7. Set the OVOC server network IP address to suit your IP addressing scheme (Server IP Address on page 195). 8. Perform other configuration actions as required using the OVOC Server Manager (Getting Started on page 163). - 98 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware OVOC | IOM 9 Installing OVOC Server on Dedicated Hardware The OVOC server installation process supports the Linux platform. The installation includes four separate components, where each component is supplied on a separate DVD: DVD1: OS installation: OS installation DVD DVD2: Oracle Installation: Oracle installation DVD platform DVD3: OVOC application: OVOC server application installation DVD Ensure that the minimum platform requirements are met (see Hardware and Software Specifications on page 8). Failure to meet these requirements will lead to the aborting of the installation. Installation of OVOC Version 7.8 and later must be performed on HP DL Gen10 machines. Installation on HP DL G8 machines is not supported. For obtaining the installation files, see OVOC Software Deliverables on page 15 Note that you must verify this file, see Files Verification on page 18 DVD1: Linux CentOS The procedure below describes how to install Linux CentOS. This procedure takes approximately 20 minutes. Before commencing the installation, you must configure RAID- 0 (see Appendix Configuring RAID-0 for AudioCodes OVOC on HP ProLiant DL360p Gen10 Servers on page 275). To perform DVD1 installation: 1. Insert the DVD1 into the DVD ROM. 2. Connect the OVOC server through the serial port with a terminal application and login with 'root' user. Default password is root. 3. Perform OVOC server machine reboot by specifying the following command: reboot 4. Press Enter; you are prompted whether you which to start the installation through the RS232 console or through the regular display. 5. Press Enter to start the installation from the RS-232 serial console or type vga, and then press Enter to start the installation from a regular display. - 99 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-1: Linux CentOS Installation OVOC | IOM Figure 9-2: CentOS 6. Wait for the installation to complete. - 100 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-3: CentOS Installation OVOC | IOM 7. Reboot your machine by pressing Enter. Do not forget to remove the Linux installation DVD from the DVD-ROM before rebooting your machine. Figure 9-4: Linux CentOS Installation Complete - 101 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware OVOC | IOM 8. Login as 'root' user with password root. 9. Type network-config, and then press Enter; the current configuration is displayed: Figure 9-5: Linux CentOS Network Configuration This script can only be used during the server installation process. Any additional Network configuration should later be performed using the OVOC Server Manager. 10. You are prompted to change the configuration; enter y. 11. Enter your Hostname, IP Address, Subnet Mask and Default Gateway. 12. Confirm the changes; enter y. 13. You are prompted to reboot; enter y. Installing DVD1 without a CD-ROM This section describes how to install DVD1 without a CD-ROM. - 102 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware To install DVD1 without a CD-ROM: 1. Login to ILO 5 with "Administrator" privileges. 2. Launch the Integrated Remote Console. Figure 9-6: Information-iLO Overview OVOC | IOM 3. On your PC insert the OVOC DVD1 to the drive and note the drive letter. 4. From Integrated Remote Console, click Virtual Drives and select the appropriate drive letter. Figure 9-7: iLO Integrated Remote Console 5. From Integrated Remote Console, click Power Switch > Momentary Press, the server is shutdown. Click Momentary Press to power the server back on. - 103 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-8: Momentary Press OVOC | IOM After server boot process has commenced, press F11 to enter the boot menu. Figure 9-9: Boot Menu 6. On boot menu, scroll down by mouse or arrows keys and select the "iLO Virtual USB 3 : iLO Virtual CD-ROM" to start the boot sequence. - 104 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-10: Boot Sequence OVOC | IOM 7. The following screen appears, select "Install CentOS ..." and press Enter. Figure 9-11: Install CentOS 8. After a while the CentOS installation commences: - 105 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-12: Start CentOS OVOC | IOM 9. Wait for the installation to finish, from "Virtual Drives" menu deselect the selected drive and press Enter, the server is rebooted. Figure 9-13: Server Rebooted 10. After server has restarted, press F11 to enter boot menu. - 106 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-14: Boot Menu OVOC | IOM DVD2: Oracle DB Installation The procedure below describes how to install the Oracle database. This procedure takes approximately 30 minutes. Before starting the installation, it is highly recommended to configure the SSH client (e.g. Putty application) to save the session output into a log file. To perform DVD2 installation: 1. Insert DVD2-Oracle DB installation into the DVD ROM. 2. Login into the OVOC server by SSH, as `acems' user, and enter password acems. 3. Switch to `root' user and provide root password (default password is root): su - root 4. Mount the CDROM to make it available: mount /home/acems/DVD2_EMS_.iso /mnt 5. Run the installation script from its location: - 107 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware ./install Figure 9-15: Oracle DB Installation OVOC | IOM 6. Enter y, and then press Enter to accept the License agreement. Figure 9-16: Oracle DB Installation - License Agreement 7. Type the 'SYS' user password, type sys and then press Enter. Figure 9-17: Oracle DB Installation (cont) - 108 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware 8. Wait for the installation to complete; reboot is not required at this stage. Figure 9-18: Oracle DB Installation OVOC | IOM DVD3: OVOC Server Application Installation The procedure below describes how to install the OVOC server application. This procedure takes approximately 20 minutes. To perform DVD3 installation: 1. Insert DVD3-OVOC Server Application Installation into the DVD ROM. 2. Login into the OVOC server by SSH, as 'acems' user, and enter the password acems. 3. Switch to 'root' user and provide root password (default password is root): su - root 4. Mount the CDROM to make it available: mount /home/acems/DVD3_EMS_.iso /mnt/EmsServerInstall/ cd /mnt/EmsServerInstall/ 5. Run the installation script from its location: ./install - 109 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-19: OVOC server Application Installation OVOC | IOM 6. Enter y, and then press Enter to accept the License agreement. Figure 9-20: OVOC server Application Installation License Agreement 7. When you are prompted to change the acems and root passwords, enter new passwords or enter existing passwords. You are then prompted to reboot the OVOC server machine; press Enter. - 110 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware Figure 9-21: OVOC server Application Installation (cont) OVOC | IOM 8. The installation process verifies whether CentOS that you installed from DVD1 includes the latest OS patch updates; do one of the following: If OS patches are installed, press Enter to reboot the server. If there are no OS patches to install, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. below After the OVOC server has rebooted, repeat steps Login into the OVOC server by SSH, as `acems' user and enter password acems (or customer defined password). on page 147 to Enter y, and then press Enter to accept the License agreement. on page 148. Figure 9-22: OVOC server Installation Complete 9. Wait for the installation to complete and reboot the OVOC server by typing reboot. 10. When the OVOC server has successfully restarted, login into the OVOC server by SSH, as `acems' user and enter password acems. 11. Switch to 'root' user and provide root password (default password is root): - 111 - CHAPTER 9 Installing OVOC Server on Dedicated Hardware OVOC | IOM su - root 12. Type the following command: # EmsServerManager 13. Verify that all processes are up and running (Viewing Process Statuses on page 169) and verify login to the OVOC Web client is successful. 14. Verify that the Date and Time are set correctly (Date and Time Settings on page 216). 15. Configure other settings as required (Getting Started on page 163). - 112 - CHAPTER 10 Managing Device Connections OVOC | IOM 10 Managing Device Connections When the connections between the OVOC server and the managed devices traverse a NAT or firewall, direct connections cannot be established (both for OVOC > Device connections and for Device > OVOC connections). OVOC provides methods for overcoming this issue. These methods can be used for both initial setup and Second-Day management: Establishing OVOC-Devices Connections below Establishing Devices - OVOC Connections on the next page The table below describes the different connection scenarios. Table 10-1: Device Connection Scenarios Configuration Option/Deploy ment Scenario OVOC AWS Clo ud Azure Clou d OnPremis es Over Public Network Devices AWS Clou d Azure Clou d OnPremise s AudioCodes SBC Devices Cloud Archi- tecture Mode - OVOC Server Configured with Public IP Phones Device Manager Agent - - - - For OVOC Managed devices: All remote connections for OVOC managed devices require a configured WAN interface on the managed device. For more information for phone and Jabra/Third-party vendor device connections, refer to the OVOC Security Guidelines and to the Device Manager Agent Installation and Configuration Guide/Device Manager for Third-Party Vendor Products Administrator's Manual. Establishing OVOC-Devices Connections When OVOC is deployed behind a firewall or NAT in the cloud or in a remote network, it cannot establish a direct connection with managed devices using its private IP address. Consequently, you must configure the OVOC Server IP address as follows: For OVOC Cloud deployments: Configure the OVOC server public IP address. - 113 - CHAPTER 10 Managing Device Connections OVOC | IOM For OVOC deployments in a remote public network: Configure the IP address of the NAT router. See Configure OVOC Server with Public or NAT IP Address below Configure OVOC Server with Public or NAT IP Address This option lets you configure the OVOC server with a public IP address which enables devices that are deployed behind a NAT in a remote Enterprise or Cloud network to connect to OVOC. When the "Cloud Architecture" mode is enabled, this option is removed from the OVOC Server Manager " Network Configuration" menu. To configure OVOC Server with Public IP address: 1. From the Network Configuration menu, choose NAT, and then press Enter. Figure 10-1: Configure NAT IP 2. Enter the NAT IP address, and then press Enter. 3. Type y to confirm the changes. 4. Stop and start the OVOC server for the changes to take effect. To remove NAT configuration: 1. Enter the value -1. 2. Type y to confirm the changes. 3. Stop and start the OVOC server for the changes to take effect. Establishing Devices - OVOC Connections When devices are deployed behind a firewall or NAT in the cloud or in a remote network, they cannot connect establish a direct connection with the OVOC server. Consequently, the following methods can be used to overcome this issue: Automatic Detection: devices are connected automatically to OVOC through sending SNMP Keep-alive messages. See Automatic Detection on the next page. OVOC Cloud Architecture Mode: Communication between OVOC deployed in the AWS Cloud and devices deployed either in the AWS Cloud or in a remote network are secured over an HTTP/S tunnel overlay network. See Configure OVOC Cloud Architecture Mode on the next page - 114 - CHAPTER 10 Managing Device Connections OVOC | IOM This mode is only supported for OVOC deployment on Amazon AWS. Single Sign-on from OVOC Web to managed device's Web interface is only supported for the "Cloud Architecture Mode" option. Automatic Detection The Automatic Detection feature enables devices to be automatically connected to OVOC over SNMP. When devices are connected to the power supply in the enterprise network and/or are rebooted and initialized, they're automatically detected by the OVOC and added by default to the AutoDetection region. For this feature to function, devices must be configured with the OVOC server's IP address and configured to send keep-alive messages. OVOC then connects to the devices and automatically determines their firmware version and subnet. Devices are then added to the appropriate tenant/region according to the best match for subnet address. When a default tenant exists, devices that cannot be successfully matched with a subnet are added to an automatically created AutoDetection Region under the default tenant. When a default tenant does not exist and the device cannot be matched with a subnet, the device isn't added to OVOC. For more information, refer to Section "Adding AudioCodes Devices Automatically" in the OVOC User's Manual. Configure OVOC Cloud Architecture Mode When OVOC is deployed in a public cloud and managed devices are either deployed in the Cloud or in an enterprise network, an automatic mechanism can be enabled to secure the OVOC server and SBC device communication through binding to a dedicated HTTP/S tunnel through a generic WebSocket server connection. This mechanism binds several different port connections including SNMP, HTTP, syslog and debug recording into an HTTP/S tunnel overlay network. This eliminates the need for administrators to manually manage firewall rules for these connections and to lease third-party VPN services. When operating in this mode, Single Sign-on can also be performed from the Devices Page link in the OVOC Web interface to SBC devices deployed behind a NAT. The figure below illustrates the OVOC Cloud Architecture. This mode is supported for both Microsoft Azure and Amazon AWS deployments for all SBC devices released in Version 7.2.256. - 115 - CHAPTER 10 Managing Device Connections Figure 10-2: Cloud Architecture OVOC | IOM This section includes the following: Before Enabling Cloud Architecture Mode below Configuring Cloud Architecture Mode on the next page Before Enabling Cloud Architecture Mode Before enabling Cloud Architecture mode, ensure the following: Ensure HTTPS port 80 or HTTPS port 443 are open on the Enterprise firewall. For maximum security, its advised to implement this connection over HTTPS port 443 with One-way authentication. Mutual authentication is not supported for this mode. This connection can be secured using either AudioCodes certificates or custom certificates. Ensure that all managed devices have been upgraded to the software version that supports this feature (refer to SBC-Gateway Series Release Notes for Latest Release Versions 7.2) If devices are not appropriately upgraded then they cannot be managed in OVOC. Ensure that the following parameters have been configured for the managed devices (for more information, refer to the relevant SBC User's Manual): WSTunServerAddress; WSTunServerPath; WSTunUsername; WSTunPassword; WSTunSecured; WSTunVerifyPeer In the OVOC Web interface, the SBC Devices Communication parameter must be set to IP Based in the Configuration screen (System tab > Administration menu > OVOC Server folder > Configuration); do not use an FQDN when working in Cloud Architecture mode. - 116 - CHAPTER 10 Managing Device Connections OVOC | IOM Configuring Cloud Architecture Mode This option configures the OVOC server in a cloud topology. When configured, a "secure tunnel" overlay network" is established between the connected devices and the OVOC server. This connection is secured over a WebSocket connection. The Tunnel Status indicates the status for all sub-processes running for this architecture. To setup cloud architecture: 1. From the Network Configuration menu, choose Cloud Architecture. Figure 10-3: Cloud Architecture 2. Select option Enable Cloud Architecture. The OVOC server is restarted. When this option is configured, the NAT configuration option is disabled. - 117 - Part III OVOC Server Upgrade This part describes the upgrade of the OVOC server on dedicated hardware and on virtual and cloud platforms. Content OVOC | IOM 11 Upgrading OVOC Server on Amazon AWS and Microsoft Azure This section describes how to upgrade the OVOC server on the Amazon AWS and Microsoft Azure platforms. Before proceeding, it is highly recommended to backup the OVOC server files to an external location (see OVOC server Backup). Before proceeding, ensure that the minimum platform requirements are met (see Hardware and Software Specifications on page 8). Failure to meet these requirements will lead to the aborting of the upgrade. For obtaining the upgrade file, see OVOC Software Deliverables on page 15 Note that you must verify this file, see Files Verification on page 18 For before upgrade actions, see Before Upgrading on Microsoft Azure on page 121 For after upgrade actions, see After Upgrading on AWS on page 121 To upgrade the OVOC server on Cloud platforms: 1. Copy the DVD3 ISO file that you received from AudioCodes to your PC. 2. Using WinSCP utility (see Transferring Files on page 295), copy the .ISO file to the OVOC server acems user home directory: /home/acems 3. Open an SSH connection. 4. Login into the OVOC server as acems user with password acems (or customer defined password). 5. Switch to 'root' user su - root 6. Mount the DVD3.iso file to the /mnt directory: mount /home/acems/DVD3_EMS_ 8.0.110.iso /mnt cd /mnt/EmsServerInstall 7. Run the installation script: ./install 8. Enter y, and then press Enter to accept the License agreement. - 119 - Content Figure 11-1: OVOC server Upgrade License Agreement OVOC | IOM 9. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: If you are prompted to reboot, press Enter to reboot the OVOC server and then repeat steps 4-9 (inclusive). If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. below Figure 11-2: OVOC server Installation Complete 10. Wait for the installation to complete and reboot the OVOC server by typing reboot. 11. When the OVOC server has successfully restarted, login into the OVOC server by SSH, as `acems' user and enter password acems. 12. Switch to 'root' user and provide root password (default password is root): su - root 13. Type the following command: # EmsServerManager - 120 - Content OVOC | IOM 14. Verify that all processes are up and running (see Viewing Process Statuses on page 169) and that you can login to OVOC Web client. Before Upgrading on Microsoft Azure This procedure describes the actions required before upgrading to OVOC version 8.0 instance with updated memory requirements. Do the following: 1. Stop your OVOC instance (see Stop the Application on page 182 2. Change Instance type to the following: Low Profile: D8ds_v4 High Profile: D16ds_v4 3. Start new OVOC instance. 4. Upgrade OVOC Software to the new OVOC software version as described in Upgrading OVOC Server on Amazon AWS and Microsoft Azure on page 119. After Upgrading on AWS This procedure below describes the required actions on AWS following the upgrade to version OVOC Version 8.0. Do the following: 1. Run full OVOC backup (see OVOC Server Backup Processes on page 156 2. Create new AWS instance on m5.4xlarge (High Profile) machine with OVOC Software version 8.0. 3. Restore OVOC data from the backup (see OVOC Server Restore on page 158 The OVOC version from where the backup is taken must be identical to the OVOC version on which the restore is run. - 121 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines This chapter describes how to upgrade the OVOC server on VMware and Microsoft Hyper-V Virtual machines. Before proceeding, it is highly recommended to backup the OVOC server files to an external location (OVOC server Backup). If you are upgrading from Version 7.2.3000, you can optionally migrate OVOC topology to Version 7.4 and later (see document Migration from EMS and SEM Version 7.2.3000 to One Voice Operations Center). Ensure that the minimum platform requirements are met (see Hardware and Software Specifications on page 8). Failure to meet these requirements will lead to the aborting of the upgrade. For obtaining the upgrade file, see OVOC Software Deliverables on page 15 Note that you must verify this file, see Files Verification on page 18 VMware platform only: If you are installing the Service Provider Cluster mode, a separate upgrade image is provided for each of the following components: Management server, VQM server and PM server. Therefore, you must run the upgrade script separately for each of these images. The upgrade includes the following steps: 1. Setup the Virtual Machine ( Step 1: Setup the Virtual Machine below) 2. Run the upgrade script (Option 1: Standard Upgrade Script on page 135) 3. Connect the OVOC server to the network ( Step 3: Connect the OVOC Server to Network on page 144) Step 1: Setup the Virtual Machine This section describes how to setup the virtual machine before you run the upgrade script. Setting up VMware Platform for Upgrade below Setting Up Microsoft Hyper-V Platform for Upgrade on page 129 Setting up VMware Platform for Upgrade The upgrade on the VMware platform can be run using either the Upgrade media CD/DVD or ISO file using either the VMware Remote Console Application (VMRC) or the VMware Server Host. - 122 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM A remote connection to the VMware host is established using the VMware Remote Console application (VMRC). You must download this application or use a preinstalled remote connection client to connect to the remote host. The procedures below show screen examples of the vSphere Web Client. However, refer to the VMware documentation for more information. To setup the VMware machine: 1. Transfer the OVA file containing the VMware Virtual Machine installation package from DVD3-OVOC server Application Installation to your PC (see Transferring Files on page 295 for instructions on how to transfer files). 2. Login to the VMware vSphere Web client. Figure 12-1: VMware vSphere Web Client 3. In the vCenter Navigator, select Hosts and Clusters. A list of Hosts and Clusters is displayed. - 123 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-2: Hosts and Clusters OVOC | IOM 4. Right-click the AudioCodes OVOC node that you wish to upgrade and choose the Edit Settings option. Figure 12-3: Edit Settings Option The vCenter Edit Settings screen is displayed. - 124 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-4: Connection Options OVOC | IOM 5. In the Virtual Hardware tab, select the CD/DVD drive item, and from the drop-down list, select the relevant option according to where you placed the Upgrade Media (CD/DVD or ISO image file): Client Device: This option enables you to run the upgrade from the PC running the remote console (Setting up Using VMware Remote Console Application (VMRC) on the next page. Host Device: This option enables you to run the upgrade from the CD/DVD drive of the VMware server host (Setting up Using VMware Server Host for Upgrade on page 128). Datastore ISO file: This option enables you to run the upgrade from the image file on the storage device of the VMware server host. When you choose this option, browse to the location of the ISO file on the VMware storage device (Setting up Using VMware Server Host for Upgrade on page 128). - 125 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM Setting up Using VMware Remote Console Application (VMRC) This section describes how to run the upgrade from the VMware host. This procedure requires connecting to the VMware host using the VMware Remote Console application (VMRC). To run the upgrade using VMRC: 1. In the Manage tab under Settings> VM Hardware, select the Help icon adjacent to the CD/DVD drive item and then from the pop-up, click the Launch Remote Console to launch the VMware Remote Console application (VMRC). If necessary, click the Download Remote Console link to download this application. If you already have a remote console application installed on your machine, you can use your pre-installed application. Figure 12-5: Help Link to Launch Remote Console - 126 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-6: VMware Web Client OVOC | IOM The remote console application is displayed. Figure 12-7: Remote Console Application 2. In the toolbar, from the VMRC drop-down list, choose Manage > Virtual Machine Settings. The Virtual Machine Settings screen is displayed: - 127 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-8: Virtual Machine Settings OVOC | IOM 3. From the Location drop-down list, select Local Client. 4. Select the CD/DVD drive item and then choose one of the following: Use physical drive: from the drop-down list, select the CD/DVD drive where you placed the Upgrade media. Use ISO image file: browse to the location of the ISO image file. 5. Click OK. Setting up Using VMware Server Host for Upgrade This section describes how to run the upgrade using the VMware server host. To run the upgrade using the VMware Server host: 1. Select the Manage tab, right-click the Connect icon and select one of the following options: Connect to host CD device Connect to CD/DVD image on a datastore - 128 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-9: Connect to Host CD Device/ Datastore ISO file OVOC | IOM 2. Wait until the machine reconfiguration has completed, and then verify that the `Connected' status is displayed: Figure 12-10: CD/DVD Drive - Connected Status Setting Up Microsoft Hyper-V Platform for Upgrade This section describes how to upgrade the OVOC server on the Microsoft Hyper-V Server. This procedure takes approximately 30 minutes and predominantly depends on the hardware machine where the Microsoft Hyper-V platform is installed. The upgrade of the OVOC server on Microsoft Hyper-V includes the following procedures: Upgrade the Virtual Machine (VM) (Installing the Microsoft Hyper-V Virtual Machine). Configure the Virtual machine hardware settings (Configuring the Virtual Machine Hardware Settings on page 85). Change MAC addresses from 'Dynamic' to 'Static' (Changing MAC Addresses from 'Dynamic' to 'Static' on page 92). - 129 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM To setup the Microsoft Hyper-V machine: 1. Transfer the ISO file containing the Microsoft Hyper-V Virtual Machine installation package from the AudioCodes DVD3-OVOC server Application Installation to your PC (see AppendixTransferring Files on page 295 for instructions on how to transfer files). 2. Open Hyper-V Manager by clicking Start > Administrative Tools > Hyper-V Manager; the following screen opens: Figure 12-11: Installing the OVOC server on Hyper-V Hyper-V Manager 3. Start the Import Virtual Machine wizard: click the Action tab, and then select Import Virtual Machine from the menu; the Import Virtual Machine screen shown below opens: - 130 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM Figure 12-12: Installing OVOC server on Hyper-V Import Virtual Machine Wizard 4. Click Next; the Locate Folder screen opens: - 131 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-13: Installing OVOC server on Hyper-V Locate Folder OVOC | IOM 5. Enter the location of the VM installation folder, which was previously extracted, from the ISO file as shown in the figure above, and then click Next; the Select Virtual Machine screen opens. 6. Select the virtual machine to import, and then click Next; the Choose Import Type screen opens: - 132 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-14: Installing OVOC server on Hyper-V Choose Import Type OVOC | IOM 7. Select the option ''Copy the virtual machine (create a new unique ID)'', and then click Next; the Choose Folders for Virtual Machine Files screen opens: - 133 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-15: Installing OVOC server on Hyper-V Choose Destination OVOC | IOM 8. Select the location of the virtual hard disk, and then click Next; the Choose Storage Folders screen opens: - 134 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-16: Installing OVOC server on Hyper-V Choose Storage Folders OVOC | IOM 9. Select the Storage Folder for the Virtual Hard Disk, and then click Next; the Summary screen opens. 10. Click Finish to start the creation of the VM; a similar installation progress indicator is shown: Figure 12-17: File Copy Progress Bar This step may take approximately 30 minutes to complete. Step 2: Run the Server Upgrade Script This section describes how to run the OVOC server upgrade script: Option 1: Standard Upgrade Script below Option 2: Service Provider Cluster Upgrade Scripts on page 137 Option 1: Standard Upgrade Script Once you have setup the virtual machines, you can run the OVOC Server upgrade script. - 135 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM Before starting the installation, it is highly recommended to configure the SSH client (e.g. Putty application) to save the session output into a log file. To run the OVOC Server upgrade: 1. Using the WinSCP utility (see Transferring Files on page 295), copy the DVD3 .ISO file that you saved to your PC in Step 1: Setup the Virtual Machine on page 122 to the OVOC server acems user home directory: /home/acems 2. Open an SSH connection or the VM console. 3. Login into the OVOC server as `acems' user with password acems (or customer defined password). 4. Switch to 'root' user and provide root password (default password is root): su root 5. Mount the CDROM to make it available: mount /home/acems/DVD3_OVOC_ 8.0.110.iso /mnt cd /mnt/EmsServerInstall/ 6. Run the installation script from its location: ./install Figure 12-18: OVOC server Installation Script 7. Enter y, and then press Enter to accept the License agreement. - 136 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-19: OVOC server Upgrade License Agreement OVOC | IOM 8. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: If you are prompted to reboot, press Enter to reboot the OVOC server and then repeat steps 2-7 (inclusive). If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. below Figure 12-20: OVOC server Installation Complete 9. Wait for the installation to complete and reboot the OVOC server by typing reboot. Option 2: Service Provider Cluster Upgrade Scripts Once you have setup the virtual machines, you can run the OVOC server upgrade scripts for the Management, VQM and PM servers; a separate script file for each of these cluster nodes is provided on DVD3-OVOC Server Application ISO file. Do the following: 1. Upgrade Management server (see Upgrade Management Server on the next page) 2. Upgrade PM and VQM servers: Upgrade VQM Server on page 140 - 137 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM Upgrade PM Server on page 142 Before starting the installation, it is highly recommended to configure the SSH client (e.g. Putty application) to save the session output into a log file. Upgrade the Management server prior to upgrading the VQM and PM servers. Upgrade Management Server This section describes how to upgrade the Management server cluster node. To upgrade the Management Server cluster node: 1. Using the WinSCP utility (see Transferring Files on page 295), copy the DVD3 .ISO file that you saved to your PC in Step 1: Setup the Virtual Machine on page 122to the OVOC server acems user home directory: /home/acems 2. Open an SSH connection or the VM console. 3. Login into the OVOC server as `acems' user with password acems (or customer defined password). 4. Switch to 'root' user and provide root password (default password is root): su root 5. Mount the CDROM to make it available: mount /home/acems/DVD3_OVOC_ 8.0.110.iso /mnt cd /mnt/EmsServerInstall/ 6. Run the installation script from its location: ./install - 138 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-21: OVOC server Installation Script OVOC | IOM 7. Enter y, and then press Enter to accept the License agreement. Figure 12-22: OVOC server Upgrade License Agreement 8. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: If you are prompted to reboot, press Enter to reboot the OVOC server and then repeat steps 2-7 (inclusive). - 139 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. below Figure 12-23: OVOC server Installation Complete 9. Wait for the installation to complete and reboot the OVOC server by typing reboot. Upgrade VQM Server Once you have setup the virtual machines and installed the Management Server (see ), you can run the VQM server upgrade script. Before starting the installation, it is highly recommended to configure the SSH client (e.g. Putty application) to save the session output into a log file. To upgrade VQM server: 1. Using the WinSCP utility (see Transferring Files on page 295 ), copy the DVD3 .ISO file containing the VQM server installation that you saved to your PC inStep 1: Setup the Virtual Machine on page 122 to the OVOC server acems user home directory: /home/acems 2. Open an SSH connection or the VM console. 3. Login into the OVOC server as `acems' user with password acems (or customer defined password). 4. Switch to 'root' user and provide root password (default password is root): su root 5. Mount the CDROM to make it available: mount /home/acems/DVD3_OVOC_ 8.0.110.iso /mnt cd /mnt/EmsServerInstall/ 6. Run the installation script from its location: ./install_vqm - 140 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-24: OVOC server Installation Script OVOC | IOM 7. Enter y, and then press Enter to accept the License agreement. Figure 12-25: OVOC server Upgrade License Agreement 8. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: If you are prompted to reboot, press Enter to reboot the OVOC server and then repeat steps 2-7 (inclusive). If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. on the next page - 141 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-26: OVOC server Installation Complete OVOC | IOM 9. Wait for the installation to complete and reboot the OVOC server by typing reboot. Upgrade PM Server Once you have setup the virtual machines and installed the Management Server (see Step 2: Run the OVOC Server Upgrade Script), you can run the PM server upgrade script. Before starting the installation, it is highly recommended to configure the SSH client (e.g. Putty application) to save the session output into a log file. To run the PM server upgrade: 1. Using the WinSCP utility(see Transferring Files on page 295), copy the DVD3 .ISO file containing the VQM server installation that you saved to your PC in Step 1: Setup the Virtual Machine on page 122 to the OVOC server acems user home directory: /home/acems. 2. Open an SSH connection or the VM console. 3. Login into the OVOC server as `acems' user with password acems (or customer defined password). 4. Switch to 'root' user and provide root password (default password is root): su root 5. Mount the CDROM to make it available: mount /home/acems/DVD3_OVOC_ 8.0.110.iso /mnt cd /mnt/EmsServerInstall/ 6. Run the installation script from its location: ./install_pm - 142 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-27: OVOC server Installation Script OVOC | IOM 7. Enter y, and then press Enter to accept the License agreement. Figure 12-28: OVOC server Upgrade License Agreement 8. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: If you are prompted to reboot, press Enter to reboot the OVOC server and then repeat steps 2-7 (inclusive). If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. on the next page - 143 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-29: OVOC server Installation Complete OVOC | IOM 9. Wait for the installation to complete and reboot the OVOC server by typing reboot. Step 3: Connect the OVOC Server to Network After installation, the OVOC server is assigned a default IP address that will most likely be inaccessible from the customer's network. This address is assigned to the first virtual network interface card connected to the 'trusted' virtual network switch during the OVOC server installation. You need to change this IP address to suit your IP addressing scheme. Connecting to OVOC Server on VMware This section describes how to connect to the OVOC server using the VMware vCenter. To connect the OVOC server: 1. Power on the machine; in the vCenter tree, right-click the AudioCodes One Voice Operations Center node (vOC) and in the drop-down menu, choose Power > Power On. Upon the initial boot up after reconfiguring the disk space, the internal mechanism configures the server installation accordingly to version specifications (Hardware and Software Specifications on page 8). Figure 12-30: Power On 2. Wait until the boot process has completed, and then connect the running server through the vSphere client console. 3. Login into the OVOC server by SSH, as `acems' user and enter acems password. 4. Switch to 'root' user and provide root password (default password is root): su - root - 144 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines OVOC | IOM 5. Type the following command: # EmsServerManager 6. Verify that all processes are up and running (Viewing Process Statuses on page 169) and verify login to OVOC Web client is successful. 7. If you are installing the Service Provider Cluster mode, see Service Provider Cluster on page 188 Connecting to OVOC Server on Hyper-V This section describes how to connect to the OVOC server on the Hyper-V platform. To connect to the OVOC server: 1. Start the OVOC server virtual machine, on the Hyper-V tree, right-click the OVOC server, and then in the drop-down menu, choose Start. Figure 12-31: Power On Virtual Machine 2. Connect to the console of the running server by right-clicking the OVOC server virtual machine, and then in the drop-down menu, choose Connect. - 145 - CHAPTER 12 Upgrading OVOC Server on VMware and Microsoft Hyper-V Virtual Machines Figure 12-32: Connect to OVOC server Console OVOC | IOM 3. Login into the OVOC server by SSH, as `acems' user and enter password acems. 4. Switch to 'root' user and provide root password (default password is root): su - root 5. Type the following command: # EmsServerManager 6. Verify that all processes are up and running (Viewing Process Statuses on page 169) and verify login to OVOC Web client is successful. - 146 - CHAPTER 13 Upgrading OVOC Server on Dedicated Hardware OVOC | IOM 13 Upgrading OVOC Server on Dedicated Hardware This section describes the upgrade of the OVOC server on dedicated hardware. Before proceeding, it is highly recommended to backup the OVOC server files to an external location (OVOC server Backup). If you are upgrading from Version 7.2.3000, you can optionally migrate topology to Version 7.4 and later (see document Migration from EMS and SEM Version 7.2.3000 to One Voice Operations Center). Before proceeding, ensure that the minimum platform requirements are met (see Hardware and Software Specifications on page 8). Failure to meet these requirements will lead to the aborting of the upgrade. Upgrade of OVOC Version 7.8 and later must be performed on HP DL Gen10 machines. Upgrade on HP DL G8 machines is not supported. For obtaining the upgrade file, see OVOC Software Deliverables on page 15 Note that you must verify this file, see Files Verification on page 18 Upgrading the OVOC Server-DVD This section describes how to upgrade the OVOC server from the AudioCodes supplied installation DVD. To upgrade the OVOC server, only DVD3 is required (see OVOC Software Deliverables on page 15). Verify in the OVOC Manager `General Info' screen that you have installed the latest Linux revision ( seeHardware and Software Specifications on page 8). If you have an older OS revision, a clean installation must be performed using all three DVDs ( see Installing the OVOC server on Dedicated Hardware). Before starting the installation, it is highly recommended to configure the SSH client (e.g. Putty application) to save the session output into a log file. To upgrade the OVOC server: 1. Insert DVD3-OVOC Server Application Installation into the DVD ROM. 2. Login into the OVOC server by SSH, as `acems' user and enter password acems (or customer defined password). 3. Switch to 'root' user and provide root password (default password is root): su root 4. Mount the CDROM to make it available (if required): mount /home/acems/DVD3_OVOC_/mnt 5. Run the installation script from its location: - 147 - CHAPTER 13 Upgrading OVOC Server on Dedicated Hardware cd /misc/cd/EmsServerInstall/ ./install Figure 13-1: OVOC server Upgrade OVOC | IOM 6. Enter y, and then press Enter to accept the License agreement. Figure 13-2: OVOC server Upgrade License Agreement 7. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: If you are prompted to reboot, press Enter to reboot the OVOC server, and then repeat steps 2-7 (inclusive). - 148 - CHAPTER 13 Upgrading OVOC Server on Dedicated Hardware OVOC | IOM If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. below Figure 13-3: OVOC server Installation Complete 8. Wait for the installation to complete and reboot the OVOC server by typing reboot. 9. When the OVOC server has successfully restarted, login into the OVOC server by SSH, as `acems' user and enter password acems. 10. Switch to 'root' user and provide root password (default password is root): su - root 11. Type the following command: # EmsServerManager 12. Verify that all processes are up and running (Viewing Process Statuses on page 169) and verify that login to OVOC Web client is successful. Upgrading the OVOC Server using an ISO File This section describes how to upgrade the OVOC server using an ISO file. To upgrade using an ISO file: 1. Login into the OVOC server by SSH, as `acems' user and enter password acems (or customer defined password). 2. Using WinSCP utility (see Transferring Files on page 295), copy the .ISO file that you received from AudioCodes from your PC to the OVOC server acems user home directory: /home/acems 3. Switch to 'root' user and provide root password (default password is root): su root 4. Specify the following commands: mount /home/acems/DVD3_OVOC_ 8.0.110.iso /mnt - 149 - CHAPTER 13 Upgrading OVOC Server on Dedicated Hardware cd /mnt/EmsServerInstall 5. Run the installation script from its location: ./install Figure 13-4: OVOC server Upgrade OVOC | IOM 6. Enter y, and then press Enter to accept the License agreement. Figure 13-5: OVOC server Upgrade License Agreement 7. The upgrade process installs OS packages updates and patches. After the patch installation, reboot might be required: - 150 - CHAPTER 13 Upgrading OVOC Server on Dedicated Hardware OVOC | IOM If you are prompted to reboot, press Enter to reboot the OVOC server, login as `acems' user, enter password acems (or customer defined password) and then repeat steps 4-8 (inclusive). If you are not prompted to reboot, proceed to step Wait for the installation to complete and reboot the OVOC server by typing reboot. below. Figure 13-6: OVOC server Installation Complete 8. Wait for the installation to complete and reboot the OVOC server by typing reboot. 9. When the OVOC server has successfully restarted, login into the OVOC server by SSH, as `acems' user and enter password acems. 10. Switch to 'root' user and provide root password (default password is root): su - root 11. Type the following command: # EmsServerManager 12. Verify that all processes are up and running (Viewing Process Statuses on page 169) and verify that login to OVOC Web client is successful. - 151 - CHAPTER 14 Installation and Upgrade Troubleshooting of the Operational Environment OVOC | IOM 14 Installation and Upgrade Troubleshooting of the Operational Environment This section describes the different scenarios for troubleshooting the operational environment. If you attempted to upgrade and your system did not meet the minimum hardware requirements, the following message is displayed: Figure 14-1: Minimum Hardware Requirements Upgrade If the OVOC server hardware configuration is changed and then the server is restarted, the following message is displayed in the /var/log/ems/nohup.out file. Figure 14-2: Minimum Hardware Requirements System Error Whenever an upgrade or clean installation is performed, and then the hardware settings are changed, which results in the minimum requirements not being met, the following message is displayed in the OVOC Server ManagerStatus screen : - 152 - CHAPTER 14 Installation and Upgrade Troubleshooting of the Operational Environment Figure 14-3: Status Screen Error OVOC | IOM Whenever an upgrade or clean installation is performed, and then the hardware settings are changed, which results in the minimum requirements not being met, the following message is displayed in the OVOC Server Manager General Info screen: - 153 - CHAPTER 14 Installation and Upgrade Troubleshooting of the Operational Environment Figure 14-4: General Info Minimum Requirements OVOC | IOM - 154 - Part IV OVOC Server Machine Backup and Restore This part describes how to restore the OVOC server machine from a backup. CHAPTER 15 OVOC Server Backup Processes OVOC | IOM 15 OVOC Server Backup Processes There are four main backup processes that run on the OVOC server: Weekly backup: runs once a week at a pre-configured date & time (default is Saturday 02:00). In this process, the whole database is backed up into several "RMAN" files that are located in /data/NBIF/emsBackup/RmanBackup directory. For example, dailydbems_ <time&date>_<randomstring>_<index>. In addition, several other configuration and software files are backed up to the archive file emsServerBackup_<version>_ <time&date>.tar in the /data/NBIF/emsBackup/RmanBackup directory. In general, this TAR file contains the entire /data/NBIF directory's content, with the exception of the 'emsBackup' directory, OVOC Software Manager content and server_xxx directory content. To change the weekly backup's time and date, see Change Schedule Backup Time. Daily backup: runs daily except on the day scheduled for the weekly backup (see above). The daily backup process backs up the last 24 hours. There are no changes in the TAR file in this process. Cassandra backup: runs daily (runs prior to the above) and backs up the last 24 hours to the archive file cassandraBackup_<version>_<date>_<snapshotId>_<Role>_ numberOfNodes.tar. When working in Service Provider Cluster, backup of the cluster node servers (VQM and PM) is performed on the Management server. Configuration backup: runs daily and backs up to the archive file ovocConfigBackup_ <version>_<time&date>.tar.gz Daily and weekly backups run one hour after the Cassandra backup. For example, if the backup time is 2:00, the Cassandra backup runs at 2:00 and the Weekly/Daily and Configuration backups runs at 3:00. The Backup process does not backup configurations performed using OVOC Server Manager, such as networking and security. RmanBackup files are deleted during the OVOC server upgrade. It is highly recommended to maintain all backup files on an external machine. These files can be transferred outside the server directly from their default location by SCP or SFTP client using 'acems' user. Do the following: 1. Copy the following backup files to an external machine: /data/NBIF/emsBackup/emsServerBackup_<version>_<time&date>.tar /data/NBIF/emsBackup/ovocConfigBackup_<version>_<time&date>.tar.gz /data/NBIF/emsBackup/cassandraBackup_<version>_<date>_<snapshotId>_ <MGMT>_numberOfNodes.tar - 156 - CHAPTER 15 OVOC Server Backup Processes OVOC | IOM /data/NBIF/emsBackup/RmanBackup/daily_dbems_<time&date>_<randomstring>_ <index> /data/NBIF/emsBackup/RmanBackup/weekly_dbems_<time&date>_ <randomstring>_<index> /data/NBIF/emsBackup/RmanBackup/control.ctl /data/NBIF/emsBackup/RmanBackup/init.ora Change Schedule Backup Time This step describes how to reschedule the time to run the automatic backup of the following files: emsServerBackup_<version>_<time&date>.tar RmanBackup ovocConfigBackup_<version>_<time&date>.tar.gz cassandraBackup_<version>_<date>_<snapshotId>_<Role>_numberOfNodes.tar. where: <time&date> is an example; replace this path with your filename. <version> is the version number of the OVOC server release To schedule backup time: 1. From the Application Maintenance menu, choose Change Schedule Backup Time. 2. Choose the day of the week that you wish to perform the backup. Figure 15-1: Backup Scheduling - 157 - CHAPTER 16 OVOC Server Restore OVOC | IOM 16 OVOC Server Restore This section describes how to restore the OVOC server. This can be done on the original machine that the backup files were created from or on any other machine. If you're running the restore process on a different machine, its disk size should be the same as the original machine from which the backup files were taken. Restore actions can be performed only with backup files which were previously created in the same OVOC version. If you are restoring to a new machine, make sure that you have purchased a new license file machine ID. AudioCodes customer support will assist you to obtain a new license prior to the restore process. To restore the OVOC server: 1. Install (or upgrade) OVOC to the same version from which the backup files were created. The Linux version must also be identical between the source and target machines. 2. Use the OVOC server Management utility to perform all the required configurations, such as Networking and Security, as was previously configured on the source machine. 3. For more details, see Getting Started on page 163. 4. Make sure all server processes are up in OVOC Server Manager / Status menu and the server functions properly. 5. Copy all the files you backed up in Chapter OVOC server Backup to /data/NBIF directory by SCP or SFTP client using the 'acems' user. Overwrite existing files if required. 6. From the Application Maintenance menu, choose the Restore option. Figure 16-1: Restore Menu 7. Choose one of the following options: Configuration Restore below Full Restore on page 160 Configuration Restore This option restores OVOC topology and OVOC Web configuration. The following data is restored: Network Topology License configuration - 158 - CHAPTER 16 OVOC Server Restore OVOC | IOM Alarm Forwarding Rules Report Definitions PM Profiles QOE Thresholds QOE Status and Alarm definitions The entire configuration performed under System Configuration and System Administration menus Data is restored from the following backup files: emsServerBackup_<version>_<time&date>.tar ovocConfigBackup_<version>_<time&date>.tar.gz The restore process deletes all currently stored data as described above. Data that is retrieved from managed devices is not backed up, including: Alarms; Calls& SIP ladder; QoE & PM statistics; Users; Journals and Floating license reports. To run the configuration restore operation: 1. Select Option 1: Configuration Restore. A screen similar to the following is displayed: Figure 16-2: Configuration Restore Prompt 2. Type y to proceed. A screen similar to the following is displayed: - 159 - CHAPTER 16 OVOC Server Restore Figure 16-3: Configuration Restore-Confirm OVOC | IOM 3. Type y to proceed. 4. After the restore operation has completed, you are prompted to reboot the OVOC server. 5. If you installed custom certificates prior to the restore operation, you must reinstall these certificates (see Appendix Supplementary Security Procedures on page 283). Full Restore This option restores OVOC topology, OVOC Web configuration (as detailed in Configuration Restore on page 158) and data that is retrieved from managed devices including PMs, calls, alarms and journals. Data from the following backup files is restored: emsServerBackup_<version>_<time&date>.tar cassandraBackup_<version>_<date>_<snapshotId>_<MGMT>_numberOfNodes.tar daily_dbems__<time&date>_<randomstring>_<index> weekly_dbems__<time&date>_<randomstring>_<index> control.ctl init.ora The restore process deletes all currently stored data including PMs, calls, alarms and journals. When operating in Service Provider Cluster: The restore cluster should be defined with identical system specifications as the backed up server i.e. the same number of VQM/PM servers. Following restore, restart slaves and then wait up to 24 hours for Cassandra DB data(call details and PM details) to synchronize on all servers. - 160 - CHAPTER 16 OVOC Server Restore To run the full restore operation: 1. Select Option 2: Full Restore. A screen similar to the following is displayed: Figure 16-4: Full Restore Prompt OVOC | IOM 2. Type y to proceed. A screen similar to the following is displayed: Figure 16-5: Confirm Full Restore 3. Type y to proceed. 4. After the restore operation has completed, you are prompted to reboot the OVOC server. 5. If you installed custom certificates prior to the restore, you must reinstall these certificates (see Appendix Supplementary Security Procedures on page 283). - 161 - Part V OVOC Server Manager This part describes the OVOC server machine maintenance using the OVOC server Management utility. The OVOC server Management utility is a CLI interface that is used to configure networking parameters and security settings and to perform various maintenance actions on the OVOC server. Warning: Do not perform OVOC Server Manageractions directly through the Linux OS shell. If you perform such actions, OVOC application functionality may be harmed. Note: To exit the OVOC Server Managerto Linux OS shell level, press q. CHAPTER 17 Getting Started OVOC | IOM 17 Getting Started This section describes how to get started using the OVOC Server Manager. Connecting to the OVOC Server Manager You can either run the OVOC Server Managerutility locally or remotely: If you wish to run it remotely, then connect to the OVOC server using Secure Shell (SSH). If you wish to run it locally, then connect using the management serial port or keyboard and monitor. Do the following: 1. Login into the OVOC server by SSH, as `acems' user and enter password acems. 2. Switch to 'root' user and provide root password (default password is root): su - root 3. Type the following command: # EmsServerManager The OVOC Server Managermenu is displayed: - 163 - CHAPTER 17 Getting Started Figure 17-1: OVOC Server ManagerMenu Figure 17-2: OVOC | IOM Whenever prompted to enter Host Name, provide letters or numbers. Ensure IP addresses contain all correct digits. For menu options where reboot is required, the OVOC server automatically reboots after changes confirmation. For some of the configuration options, you are prompted to authorize the changes. There are three options: Yes, No, Quit (y,n,q). Yes implements the changes, No cancels the changes and returns you to the initial prompt for the selected menu option and Quit returns you to the previous menu. Using the OVOC Server Manager The following describes basic user hints for using the OVOC Server Manager: The screens displaying the Main menu options in the procedures described in this section are based on a Linux installation with 'root' user permissions. The current navigation command path is displayed at the top of the screen to indicate your current submenu location in the CLI menu. For example, Main Menu > Network Configuration > Ethernet Redundancy. You can easily navigate between menu options using the keyboard arrow keys or by typing the menu option number. Each of the menu options includes an option to return to the main Menu "Back to Main Menu'' and in some cases there is an option to go back to the previous menu level by specifying either "Back" or "Quit". OVOC Server Manager Menu Options Summary The following describes the full menu options for the OVOC Server Management utility: - 164 - CHAPTER 17 Getting Started OVOC | IOM Status Shows the status of current OVOC processes (Viewing Process Statuses on page 169) General Information Provides the general OVOC server current information from the Linux operating system, including OVOC Version, OVOC server Process Status, Oracle Server Status, Apache Server Status, Java Version, Memory size and Time Zone (Viewing General Information on page 174). Collect Logs Collates all important logs into a single compressed file (Collecting Logs on page 178): Application Maintenance Manages system maintenance actions (Application Maintenance on page 180): Start / Restart the Application Stop Application Web Servers Change Schedule Backup Time Restore License Analytics API Service Provider Cluster Shutdown the machine Reboot the machine Network Configuration Provides all basic, advanced network management and interface updates (Network Configuration on page 194): Server IP Address (The server is rebooted) Ethernet Interfaces (The server is rebooted) Ethernet Redundancy (The server is rebooted) DNS Client NAT Static Routes SNMP Agent Configure SNMP Agent -SNMP Agent Listening Port -Linux System Traps Forwarding Configuration -SNMPv3 Engine ID Start SNMP Agent SNMPv3 Engine ID - 165 - CHAPTER 17 Getting Started OVOC | IOM Cloud Architecture Date & Time Configures time and date settings (Date and Time Settings on page 216): NTP Timezone Settings Date and Time Settings Security Manages all the relevant security configurations (Security on page 217): Add OVOC user SSH Oracle DB Password (OVOC server will be stopped) Cassandra DB Password (OVOC server will be stopped) OS Users Passwords HTTP Security Settings: TLS Version 1.0 TLS Version 1.1 Show Allowed SSL Cipher Suites Edit SSL Cipher Suites Configuration String Restore SSL Cipher Suites Configuration Default Manage HTTP Service (Port 80) Manage IPP Files Service (Port 8080) Manage IPPs HTTP (Port 8081) Manage IPPs HTTPS (Port 8082) OVOC REST (Port 911) Floating License REST (Port 912) OVOC WebSocket (Port 915) SBC HTTPS Authentication Enable Device Manager client secured communication (Apache will be restarted) Change HTTP/S Authentication Password for NBIF Directory File Integrity Checker Software Integrity Checker (AIDE) and Prelinking USB Storage Network Options Audit Agent Options (the server will be rebooted) - 166 - CHAPTER 17 Getting Started OVOC | IOM Server Certificates Update OVOC Voice Quality Package - SBC Communication Diagnostics Manages system debugging and troubleshooting (Diagnostics on page 248): Server Syslog Devices Syslog Devices Debug Server Logger Levels Network Traffic Capture OVOC Server Manager Options for Service Provider Cluster The following options are available in the OVOC Server Manager menu on the PM and VQM servers when the Service Provider Cluster feature is enabled: Status General Information Collect Logs Application Maintenance Restart Application Restore Service Provider Cluster Configuration Shutdown Reboot Network Configuration Server IP address Date & Time NTP Timezone Settings Date & Time Settings Security SSH OS Users Passwords File Integrity Checker Software Integrity Checker (AIDE) and Prelinking USB Storage - 167 - CHAPTER 17 Getting Started Network options Diagnostics Logger Levels Network Traffic Capture OVOC | IOM - 168 - CHAPTER 18 Viewing Process Statuses OVOC | IOM 18 Viewing Process Statuses You can view the statuses of the currently running OVOC applications. To view the statuses of the current OVOC applications: 1. From the OVOC server Management root menu, choose Status, and then press Enter; the following is displayed: Figure 18-1: Application Status in Stand-alone Mode The following table describes the application statuses when OVOC runs in Stand-alone mode. Table 18-1: Application Statuses in Stand-alone Mode Application Status Watchdog Indicates the status of the OVOC Watchdog process. OVOC Monitor Validates the local OVOC server connection, clock configuration and installed software version. OVOC Server Indicates the status of the OVOC server process. QoE CPEs Master Indicates the voice quality master process status on the local server QoE CPEs Slave Indicates the voice quality slave process status on the local server (identical to QoE CPEs Master process in Stand-alone mode) QoE Lync Server Indicates the status of the process that is responsible for retrieving Skype for Business calls and for monitoring connectivity status with Microsoft Lync server. QoE Endpoints Server Indicates the status of the Endpoint Server, which manages the UDP connection with the Endpoints (IP Phones) for Voice Quality Package - 169 - CHAPTER 18 Viewing Process Statuses OVOC | IOM Application Status SIP Publish RFC 6035 messages. Floating License Server Indicates the status of the connection between the OVOC server and the Floating License service. Performance Indicates the status of the internal SNMP connection used by the Monitoring Server OVOC server for polling managed devices. WebSocket Server Indicates the status of the internal connection between the WebSocket client (OVOC Web interface) and the OVOC server. This connection is used for managing the alarm and task notification mechanism. Kafka Indicates the status of the Kafka process for managing alarms retrieved from the VQM and PM servers. Cassandra Indicates the status of the Cassandra database that manages Call Details and SIP Ladder messages. QoE Teams Server Indicates the status of the OVOC process (QoE Teams Server Up/Down) that is responsible for retrieving Teams Call Records from defined MS Teams Tenants and for monitoring connectivity status with MS Teams Tenants. Oracle DB Indicates the status of the Oracle Database process. Oracle Listener Indicates the status of the Oracle Listener process. Cloud Tunnel Service Indicates the status of the Cloud Tunnel Service (see Configure OVOC Cloud Architecture Mode on page 115 Apache HTTP Server Indicates the status of the Apache server, which manages the following connections: HTTP/S connection with the AudioCodes device The OVOC server-Client connection. The HTTP connection that is used by Endpoints for downloading firmware and configuration files from the OVOC server. SNMP Agent Indicates the status of the Linux SNMP Agent process. This agent is not responsible for the SNMPv2/SNMPv3 connection with the AudioCodes devices. NTP Daemon Indicates the status of the NTP Daemon process. - 170 - CHAPTER 18 Viewing Process Statuses OVOC | IOM Viewing Process Statuses in Service Provider Cluster Mode The figure below illustrates the process statuses in Service Provider Cluster mode. To view the statuses of the current OVOC applications: 1. From the OVOC server Management root menu, choose Status, and then press Enter; the following is displayed: Figure 18-2: Application Statuses in Service Provider Cluster on Management Server Table 18-2: Application Statuses in Service Provider Cluster Application Status Watchdog Indicates the status of the OVOC Watchdog process. OVOC Monitor Validates that all the cluster nodes are connected to the network, their clocks are synchronized with the Management server and are all nodes are installed with the same OVOC software version. OVOC Server Indicates the status of the OVOC server process. QoE CPEs Master Indicates the voice quality process status on the Management - 171 - CHAPTER 18 Viewing Process Statuses OVOC | IOM Application Status server. QoE CPEs Slave Indicates the voice quality process status on the VQM server node in the clustesr. QoE Lync Server Indicates the status of the Skype for Business Server MS-SQL Server HTTP/S connection. QoE Endpoints Server Indicates the status of the Endpoint Server, which manages the UDP connection with the Endpoints (IP Phones) for Voice Quality Package SIP Publish RFC 6035 messages. Floating License Server Indicates the status of the connection between the OVOC server and the Floating License service. Performance Indicate the PM process status on the PM server node in the cluster. Monitoring Server WebSocket Server Indicates the status of the internal connection between the WebSocket client (OVOC Web interface) and the OVOC server. This connection is used for managing the alarm and task notification mechanism. Kafka Indicates the status of the Kafka process for managing alarms retrieved from the VQM and PM servers. Cassandra Indicates the status of the Cassandra database that manages Call Details and SIP Ladder messages. QoE Teams Server Indicates the status of the OVOC process (QoE Teams Server Up/Down) that is responsible for retrieving Teams Call Records from defined MS Teams Tenants and for monitoring connectivity status with MS Teams Tenants. Oracle DB Indicates the status of the Oracle Database process. Oracle Listener Indicates the status of the Oracle Listener process. Cloud Tunnel Service Indicates the status of the Cloud Tunnel Service (see Configure OVOC Cloud Architecture Mode on page 115 Apache HTTP Server Indicates the status of the Apache server, which manages the following connections: HTTP/S connection with the AudioCodes device, The OVOC server-Client connection. - 172 - CHAPTER 18 Viewing Process Statuses OVOC | IOM Application Status The HTTP connection that is used by Endpoints for downloading firmware and configuration files from the OVOC server. SNMP Agent Indicates the status of the Linux SNMP Agent process. This agent is not responsible for the SNMPv2/SNMPv3 connection with the AudioCodes devices. NTP Daemon Indicates the status of the NTP Daemon process. The following figure displays the server status on the VQM node. Figure 18-3: VQM Server Status The following figure displays the status on the PM server. Figure 18-4: PM Server Status - 173 - CHAPTER 19 Viewing General Information OVOC | IOM 19 Viewing General Information This section describes the General Information and Logs collection options. The General Information option provides detailed information about the OVOC server configuration and current status variables. The following information is provided: Components versions Components Statuses Memory size and disk usage Network configuration Time Zone and NTP configuration User logged in and session type To view General Information: 1. From the OVOC Server Manager root menu, choose General Information, and then press Enter; the following is displayed: Figure 19-1: General Information 2. Press <more> to view more information; the following is displayed: - 174 - CHAPTER 19 Viewing General Information Figure 19-2: General Information 1 OVOC | IOM - 175 - CHAPTER 19 Viewing General Information Figure 19-3: General Information 2 OVOC | IOM Viewing General Information in Service Provider Cluster Mode The following shows general information that is displayed when the OVOC server is configured in Service Provider Cluster mode. To view General Information: 1. From the OVOC Server Manager root menu, choose General Information, and then press Enter; the following is displayed: - 176 - CHAPTER 19 Viewing General Information OVOC | IOM Figure 19-4: General Information Service Provider Cluster Node (PM/VQM servers) Figure 19-5: General Information Service Provider Cluster Node (PM/VQM servers) - 177 - CHAPTER 20 Collecting Logs OVOC | IOM 20 Collecting Logs This option enables you to collect important log files. All log files are collected in a single file log.tar that is created under the user home directory. When operating in the Service Provider Cluster Mode, logs are collected from all server nodes in the cluster (Management, VQM and PM servers) The following log files are collected: OVOC server Application logs General Info logs Apache logs and configuration files Cassandra DB logs OS logs Oracle DB logs Hardware information (including disk) OS Configuration File Descriptors used by processes info Rman logs Installation logs Oracle Database logs Server's Syslog Messages Yafic scan files Topology file Topology export file License file and Decoded License file Relevant network configuration files (including static routes) To collect logs: From the OVOC server Management root menu, choose Collect Logs, and then press Enter; you are prompted if you wish to collect logs, enter y to proceed, the OVOC server commences the log collection process: This process can take a few minutes. Once the file generation has completed, a message is displayed on the screen informing you that a Diagnostic tar file has been created and the location of the tar file: - 178 - CHAPTER 20 Collecting Logs Figure 20-1: Collecting Logs OVOC | IOM - 179 - CHAPTER 21 Application Maintenance OVOC | IOM 21 Application Maintenance This section describes the application maintenance. To configure application maintenance: From the OVOC Server Manager root menu, choose Application Maintenance; the following is displayed: Figure 21-1: Application Maintenance This menu includes the following options: Start/Restart Application .(Start or Restart the Application below Stop Application (Stop the Application on page 182) Web Servers (Web Servers on page 182) Change Schedule Backup Time (Change Schedule Backup Time) Restore (OVOC Server Restore on page 158) License (License on page 183) Analytics API (Analytics API on page 187 ) Service Provider Cluster (Service Provider Cluster on page 188) Shutdown the Machine ( Shutdown the OVOC Server Machine on page 193) Reboot the Machine (Reboot the OVOC Server Machine on page 193) Start or Restart the Application This section describes how to start or restart the application. - 180 - CHAPTER 21 Application Maintenance OVOC | IOM To start/restart the application: 1. From the Application Maintenance menu, choose Start/Restart the Application, and then press Enter; the following is displayed: Figure 21-2: Start or Restart the OVOC server 2. Do one of the following: Select Yes to start/restart the OVOC server Select No to return to menu Start and Restart in Service Provider Cluster Mode When running in Service Provider Cluster, the processes statuses following start or restart of the OVOC server are shown in the figures below: For VQM and PM servers, there is no option in the OVOC Server Manager to stop the server (only the"Restart" action is available). Figure 21-3: PM Server - 181 - CHAPTER 21 Application Maintenance Figure 21-4: VQM Server OVOC | IOM Stop the Application To stop the application: 1. In the Application menu, choose option Stop Application. 2. You are prompted whether you wish to stop the OVOC server. Figure 21-5: Stop OVOC server Web Servers This option enables you to stop and start the Apache HTTP Web server. To stop/start the Apache HTTP Web server: 1. From the Application maintenance menu, choose Web Servers, and then press Enter; the following is displayed: - 182 - CHAPTER 21 Application Maintenance Figure 21-6: Web Servers OVOC | IOM 2. Select option Stop/Start the Apache HTTP Server. Change Schedule Backup Time This option enables you to reschedule the time that you wish to back up the OVOC server (OVOC server Backup). License The License menu enables you to view the details of the existing license or upload a new license. The OVOC server License (SBC License pool, IP Phones and Voice Quality) should have a valid license loaded to the server in order for it to be fully operational. To obtain a valid license for your OVOC server License you should activate your product through License Activation tool at htttp://www.AudioCodes.com/swactivation. . You will need your Product Key (see below) and the Server Machine ID (see below) for this activation process: ProductKey: the Product Key string is used in the customer order for upgrading the OVOC product. For more information, contact your AudioCodes partner. Machine ID: indicates the OVOC Machine ID that should be taken from the server as shown in the screen below (enter this ID in the Fingerprint field in the Activation form). This ID is also used in the customer order process when the product key is not known (for more information contact your AudioCodes representative). License Status: indicates whether the OVOC license is enabled (OVOC License on the next page below). OVOC Advanced: indicates whether the Voice Quality license is enabled (default-no). When this parameter is set to default, the followingVoice Quality feature licenses are available: Total Devices = 2 Total Endpoints = 10 Total Sessions = 10 Total Users = 10 - 183 - CHAPTER 21 Application Maintenance OVOC | IOM When set to Yes, the above parameters can be configured according to the number of purchased licenses Expiration Date: indicates the expiration date of the OVOC time license. By default, this field displays 'Unlimited' ( below). The time zone is determined by the configured date and time in the Date & Time menu (Timezone Settings on page 214). When you order AudioCodes devices (MediantSBC and MediantGateway AudioCodes products), ensure that a valid feature key is enabled with the "OVOC" parameter for those devices that you wish to manage. Note that this feature key is a separate license to the OVOC server license. Licenses can be allocated to Tenants in the OVOC Web according to the license parameters displayed in the License screen (see example inOVOC License below). OVOC License The OVOC time license sets the time period for product use. When the time license is enabled and the configured license time expires, the connection to the OVOC server is denied. The time based license affects all the features in the OVOC including the SBC License Pool, Devices (entities managed by the Device Manager) and Voice Quality Management. When the OVOC server time license approaches or reaches its expiration date, the `License alarm' is raised (Refer to the One Voice Operations Center Alarms Guide). To view the license details or upload a new license: 1. Copy the license file that you have obtained from AudioCodes to the following path on the OVOC server machine: /home/acems/<License_File> 2. From the Application Maintenance menu, choose License option, and then press Enter; the current License details are displayed: - 184 - CHAPTER 21 Application Maintenance Figure 21-7: License Manager OVOC | IOM Table 21-1: License Pool Parameters License Type License Parameter Floating License SBC Sessions The maximum number of concurrent SBC call sessions. SBC Registrations The maximum number of SIP endpoints that can register with the SBC devices. SBC Transcoding The maximum number of SBC transcoding sessions. SBC Signaling The maximum number of SBC signaling sessions. FlexPool License SBC Devices The maximum number of SBC devices that can be managed by the FlexPool. SBC Sessions The maximum number of concurrent license SBC call sessions. SBC Registrations The maximum number of SIP endpoints that can register with the SBC devices SBC The maximum number of SBC transcoding sessions. - 185 - CHAPTER 21 Application Maintenance OVOC | IOM License Type License Parameter Transcoding SBC Signaling The maximum number of SBC signaling sessions SBC Shutdown on Failure (Days) Default:90 days When an SBC device does not receive acknowledgment from the OVOC server that Usage reports have been received within the specified grace period, then service is shutdown for this SBC device. The SBC must then re-establish connection with the OVOC server. Fixed License Pool SBC Managed Devices The total number of devices that can be managed by the Fixed License Pool. SBC Registrations The number of SIP endpoints that can register with the SBC devices. SBC Sessions The maximum number of concurrent license SBC call sessions SBC Signaling The maximum number of SBC signaling sessions SBC Transcoding The maximum number of SBC transcoding sessions CB Users The maximum number of CloudBond 365 users CB PBX Users The maximum number of PBX users. Currently not supported. CB Analog Devices The maximum number of CB Analog devices. Currently not supported. CB Voicemail Accounts The maximum number of CB Voicemail accounts. Currently not supported. Endpoints Devices The maximum number of endpoints that can be managed by the Device Manager Pro. Voice Quality Total Devices The maximum number of Voice Quality monitored devices. Total Endpoints The maximum number of Voice Quality monitored endpoints. Total Sessions The maximum number of concurrent Voice Quality monitored SBC call sessions. - 186 - CHAPTER 21 Application Maintenance OVOC | IOM License Type Total Users License Parameter The maximum number of Voice Quality monitored users supported by the SBC. A license value higher than 10 must be purchased to enable adding Skype for Business devices in the OVOC Web interface. For customers with existing Skype for Business devices defined in OVOC with 10 or fewer licenses , there are no changes; however, new Skype for Business devices cannot be added. Total Reports The maximum number of customized Voice Quality reports that can be generated in OVOC. Template reports can be generated without purchasing licenses; however, to generate customized reports, licenses must be purchased. These licenses can be allocated to tenant or system operators in the OVOC Web interface. For OVOC upgrades prior to version 7.8 releases: OVOC migrates old Scheduled reports as Custom reports even if there are insufficient licenses; however, the operator will not be able to add additional Custom reports even if they delete existing reports until the Custom Reports count is below the Total Reports license value. Analytics Stats Enables the Analytics API feature for retrieving Voice Quality data from Northbound Database access clients. By default disabled when OVOC Advanced package is enabled. Masterscope MasterScope License Enables Single Sign-on to the MasterScope network equipment analysis application from the OVOC Web interface. 3. To load a new license, choose option 1. 4. Enter the license file path and name. 5. Restart the OVOC server. Analytics API The Analytic API enables access to selected data from the OVOC database for the purpose of integration into Northbound third-party interfaces. Customers can connect to the OVOC Database using third-party DB access clients and retrieve topology and statistics. This data can then - 187 - CHAPTER 21 Application Maintenance OVOC | IOM be used in management interfaces such as Power BI, Splunk and other Analytic tools to generate customized dashboards, reports and other representative management data. This may be particularly useful during management reporting periods. The following data can be retrieved: Network Topology including Tenants, Regions, Devices, Non-ACL Devices, Links QoE Statistics including Calls, Nodes and Links Summaries Active and History Alarms A dedicated DB operator ("Analytics") is used for securing connection to the OVOC server over port 1521. This port must be open on the customer firewall once this feature is enabled by the feature key (seeOVOC License on page 184) and in the procedure described below. For more information, refer to the OVOC Northbound Integration Guide. To manage the Analytics API: 1. From the Application Maintenance menu, choose Analytics API. The License status indicates whether the license feature is enabled and the Operational status indicates whether this option is enabled. Figure 21-8: Analytics API Once enabled, an option "Change DB User Password" to change the default authentication password for the Analytics user connection appears in the menu. Enter the desired password and confirm. Service Provider Cluster The Service Provider Cluster mode enables load sharing between Voice Quality and Performance Monitoring and General Management processes with a separate Virtual Machines for each process. Service Provider Cluster setup is released in this version as a Controlled Introduction feature. When customers are ready to deploy this feature, contact the AudioCodes OVOC Product Manager to coordinate an initial interview session. The figure below illustrates the topology. - 188 - CHAPTER 21 Application Maintenance Figure 21-9: Service Provider Cluster OVOC | IOM The Cassandra database for managing Call Details, SIP Ladder messages and PM Details runs in a Cluster mode on each of the following nodes: Management; VQM and PM servers. The QoE CPEs server process for managing the XML-based Voice Quality Package communication with managed devices runs as a sub-process on the VQM server. The Performance Monitoring process for polling managed devices runs as a sub-process on the Performance Monitoring Slave server. Alarms are sent from the node servers to the Management server using Kafka The procedure below describes how to configure the cluster nodes and to perform synchronization between the configured cluster nodes and the management server. To configure service provider cluster: 1. From the Application Maintenance menu, choose Service Provider Cluster. - 189 - CHAPTER 21 Application Maintenance Figure 21-10: Service Provider Cluster OVOC | IOM 2. Select option 'Add VQM Server' to add a virtual machine for a VQM Server: Enter the server's IP address and confirm. 3. Select option 'Add PM Server' to add a virtual machine for a PM Server: Enter the server's IP address and confirm. The server that you wish to add must be connected to the network The OVOC server must be pre-installed on the PM/VQM server (see OVOC Software Deliverables on page 15) The Management server clock must be synchronized with the PM/VQM clock. Remove PM or VQM Server from Cluster This section describes how to remove a PM or VQM server from the Service Provider Cluster. This scenario occurs when this server is connected to the cluster and needs to be removed (its data is synchronized with other servers in the network). Before performing this action, its recommended to backup from cluster (see OVOC Server Backup Processes on page 156). The server removal process is time-consuming due mainly to the data redistribution process. Make sure that the PM/VQM server is connected and running before removing it. To remove PM or VQM server from the cluster: 1. From the Service Provider Cluster menu, choose Remove Server. - 190 - CHAPTER 21 Application Maintenance Figure 21-11: Removing PM/VQM Server OVOC | IOM Force Remove PM or VQM Server from Cluster This section describes how to force remove a PM or VQM server from the Service Provider Cluster. This scenario occurs when this server is not connected and its data cannot be synchronized and you wish to remove it from the cluster. Before performing this action, its recommended to backup from cluster (see OVOC Server Backup Processes on page 156). Data may be lost since removed server data cannot be redistributed. To force remove a node from the service provider cluster: 1. From the Service Provider Cluster menu, choose Force Remove Server. - 191 - CHAPTER 21 Application Maintenance Figure 21-12: Removing Slave Server OVOC | IOM Synchronize Cluster Node Servers The synchronization option performs sync on the shared files in the cluster configuration including DB passwords and server configurations. To synchronize cluster node servers: 1. From the Service Provider Cluster menu, choose Synchronize Servers. Shared files in the cluster are updated. Figure 21-13: Synchronize Cluster Mode - 192 - CHAPTER 21 Application Maintenance OVOC | IOM Shutdown the OVOC Server Machine This section describes how to shut down the OVOC server machine. When operating in the Service Provider Cluster Mode, enabling this option shuts down the entire cluster. To shut down the OVOC server machine: 1. From the Application Maintenance menu, choose Shutdown the Machine, and then press Enter. 2. Type y to confirm the shutdown; the OVOC server machine is shutdown. Reboot the OVOC Server Machine This section describes how to reboot the OVOC server machine. To reboot the OVOC server machine: 1. From the Application Maintenance menu, choose Reboot the Machine, and then press Enter. 2. Type y to confirm the reboot; the OVOC server machine is rebooted. - 193 - CHAPTER 22 Network Configuration OVOC | IOM 22 Network Configuration This section describes the networking options in the OVOC Server Manager. To run the network configuration: From the OVOC Server Manager root menu, choose Network Configuration; the following is displayed: Figure 22-1: Network Configuration This menu includes the following options: Server IP Address (the server will be rebooted) ( Server IP Address on the next page) Ethernet Interfaces (the server will be rebooted) (Ethernet Interfaces on page 196) Ethernet Redundancy (the server will be rebooted) (Ethernet Redundancy on page 200) DNS Client (DNS Client on page 204) NAT (Configure OVOC Server with Public or NAT IP Address on page 114) Static Routes (Static Routes on page 205) OVOC Proxy Settings (Proxy Settings on page 206) SNMP Agent (SNMP Agent on page 207) Cloud Architecture (Configure OVOC Cloud Architecture Mode on page 115) The following options are not applicable in Cloud deployments: Server IP Address Ethernet interfaces Ethernet redundancy - 194 - CHAPTER 22 Network Configuration OVOC | IOM Server IP Address This option enables you to update the OVOC server's IP address. This option also enables you to modify the OVOC server host name. When this operation has completed, the OVOC automatically reboots for the changes to take effect. When configuring PM and VQM servers: this option can only be applied before adding these servers to the cluster. To change Server's IP address: 1. From the Network Configuration menu, choose Server IP Address, and then press Enter; the following is displayed: Figure 22-2: OVOC Server Manager Change Server's IP Address 2. Configure IP configuration parameters as desired. Each time you press Enter, the different IP configuration parameters of the OVOC server are displayed. These parameters include the Server Host Name, IP address, Subnet Mask, Network Address and Default Gateway. 3. Type y to confirm the changes, and then press Enter. - 195 - CHAPTER 22 Network Configuration Figure 22-3: IP Configuration Complete OVOC | IOM Upon confirmation, the OVOC automatically reboots for the changes to take effect. Ethernet Interfaces This section describes how to configure Ethernet interfaces. OVOC Client Login on all OVOC Server Network Interfaces The OVOC server can be configured with up to four network interfaces (connected to different subnets) as described above. You can connect to any one of the above interfaces directly from the OVOC client login dialog. The "Server IP" field in OVOC client login dialog is set to the desired OVOC server network interface IP address. - 196 - CHAPTER 22 Network Configuration Figure 22-4: OVOC server: Triple Ethernet Interfaces OVOC | IOM In case gateways are located in different subnets, static routes should be provisioned to allow the connection from 'Southbound Network' to each one of the subnets. For Static Routes configuration, Static Routes on page 205. To ensure that the network configuration is performed successfully, test that the OVOC is successfully connected to each one of the gateways by running the following basic tests: Adding the gateway to the OVOC application Reviewing its status screen Performing basic configuration action (set of `MG Location' in Media Gateways Provisioning Frame / General Setting tab) Ensuring that the OVOC receives traps from the gateway by adding TP boards in one of the empty slots and ensuring that the `Operational Info' Event is received. To configure Ethernet Interfaces: 1. From the Network Configuration menu, choose Ethernet Interfaces, and then press Enter; the following is displayed: - 197 - CHAPTER 22 Network Configuration Figure 22-5: OVOC Server Manager Configure Ethernet Interfaces OVOC | IOM 2. Choose from one of the following options: Add Interface Adds a new interface to the OVOC server ( Add Interface below). Remove Interface Removes an existing interface from the OVOC server ( Remove Interface on the next page). Modify Interface Modifies an existing interface from the OVOC server ( Type y to confirm the changes; the OVOC server automatically reboots for the changes to take effect. on the next page). Add Interface This section describes how to add a new interface. To add a New Interface: 1. From the Ethernet Interfaces menu, choose option 1; a list of currently available interfaces (not yet configured) is displayed. 2. Choose an interface (on HP machines the interfaces are called 'eno1', 'eno2', etc). 3. Choose the Network Type. 4. Enter values for the following interface parameters and confirm: IP Address Hostname Subnet Mask The new interface parameters are displayed. 5. Type y to confirm the changes; the OVOC server automatically reboots for the changes to take effect. - 198 - CHAPTER 22 Network Configuration Figure 22-6: Add Interface Parameters OVOC | IOM Remove Interface This section describes how to remove an interface. To remove an existing interface: 1. From the Ethernet Interfaces menu, choose option 2; the following is displayed: 2. Choose the interface to remove. 3. Type y to confirm the changes; the OVOC server automatically reboots for the changes to take effect. Modify Interface This section describes how to modify an existing interface. To modify an existing interface: 1. From the Ethernet Interfaces menu, choose option 3. 2. Choose the interface to modify; the following is displayed: 3. Change the interface parameters. - 199 - CHAPTER 22 Network Configuration OVOC | IOM 4. Type y to confirm the changes; the OVOC server automatically reboots for the changes to take effect. Ethernet Redundancy This section describes how to configure Ethernet Redundancy. Physical Ethernet Interfaces Redundancy provides failover when you have multiple network interface cards that are connected to the same IP link. The OVOC server supports up to four Ethernet interfaces. For enhanced network security, it is recommended to use two interfaces and to define Ethernet ports redundancy on both of them. For example, OVOC Clients [Northbound] and Gateways [Southbound]). This option enables you to configure Ethernet ports redundancy. When the operation is finished, the OVOC server automatically reboots for the changes to take effect. Figure 22-7: Physical Ethernet Interfaces Redundancy To configure Ethernet Redundancy: 1. From the Network Configuration menu, choose Ethernet Redundancy option, and then press Enter; the following is displayed: - 200 - CHAPTER 22 Network Configuration Figure 22-8: Ethernet Redundancy Configuration OVOC | IOM 2. This menu includes the following options: Add Redundant Interface (Add Redundant Interface below ). Remove Redundant Interface (Remove Ethernet Redundancy on the next page). Modify Redundant Interface (Modify Redundant Interface on page 203 ). Add Redundant Interface Remove a redundant interface under the following circumstances: You have configured an Ethernet interface (Add Redundant Interface above). Your default router can respond to a `ping' command, due to a heartbeat procedure between interfaces and the default router (to verify activity). To add a redundant interface: 1. From the Ethernet Redundancy menu, choose option 1. 2. Choose the network type for which to create a new redundant interface (for example, 'OVOC Client-Server Network'). 3. Choose the interface in the selected network that you wish to make redundant (for example, 'eno', 'eno1', 'eno2'). 4. Choose the redundancy mode (for example, 'balance-rr', 'active-backup'). 5. Type y to confirm the changes; the OVOC server automatically reboots for changes to take effect. - 201 - CHAPTER 22 Network Configuration Figure 22-9: Add Redundant Interface OVOC | IOM Remove Ethernet Redundancy This section describes how to remove an Ethernet redundancy interface. To remove the Ethernet Redundancy interface: 1. From the Ethernet Redundancy menu, choose option 2. 2. Choose the network redundancy to remove. The current Ethernet redundancy configuration is displayed. 3. Type y to confirm the changes; the OVOC server automatically reboots for the changes to take effect. - 202 - CHAPTER 22 Network Configuration Figure 22-10: Ethernet Redundancy Interface to Disable OVOC | IOM Modify Redundant Interface This section describes how to modify a redundant interface. To modify redundant interface and change redundancy settings: 1. From the Ethernet Redundancy, choose option 3. 2. Choose the Ethernet redundancy interface to modify. 3. Change the redundancy settings. 4. Type y to confirm the changes; the OVOC server automatically reboots for the changes to take effect. - 203 - CHAPTER 22 Network Configuration Figure 22-11: Modify Redundant Interface OVOC | IOM DNS Client Domain Name System (DNS) is a database system that translates a computer's fully qualified domain name into an IP address . If a DNS server cannot fulfill your request, it refers the request to another DNS server - and the request is passed along until the domain-name-to-IPaddress match is made. This option enables you to configure the client side (Resolver). If there is no existing DNS configuration, the option Configure DNS is displayed. If already configured, the option Modify DNS is displayed. To Configure the DNS Client: 1. From the Network Configuration menu, choose DNS Client, press Enter, and then in the sub-menu, choose Configure DNS; the following is displayed: - 204 - CHAPTER 22 Network Configuration Figure 22-12: DNS Setup OVOC | IOM 2. Specify the location domain. Type y to specify the local domain name or type n, and then press Enter. 3. Specify a search list; type y to specify a list of domains (use a comma delimiter to separate search entries in the list) or type n, and then press Enter. 4. Specify DNS IP addresses 1, 2 and 3. 5. Type y to confirm your configuration; the new configuration is displayed. Static Routes This option enables you to add or remove static route rules. Static routes are usually only used in conjunction with /etc/defaultrouter. Static routes may be required for network topology, where you don't want to traverse your default Gateway/Router. In this case, you will probably wish to make the routes permanent by adding the static routing rules. To configure static routes: 1. From the Network Configuration menu, choose Static Routes, and then press Enter; the Static Routes Configuration is displayed: - 205 - CHAPTER 22 Network Configuration Figure 22-13: Routing Table and Menu OVOC | IOM 2. From the Static Routes configuration screen, choose one of the following options: Add a Static Route Remove a Static Route To add a static route: 1. From the Static Routes menu, choose option 1. 2. Enter the Destination Network Address. 3. Enter the router's IP address. 4. Type y to confirm the changes. To remove a static route: 1. From the Static Routes menu, choose option 2. 2. Enter the Destination Network Address for the static route you wish to remove. 3. Enter the router's IP address. 4. Type y to confirm the changes. Proxy Settings This option enables the configuration of a proxy server connection that is used to connect to between OVOC and a remote platform such as AudioCodes Floating License. The connection is configured over HTTP/HTTP/FTP . To configure proxy settings: 1. From the Network Configuration menu, choose Proxy Settings. 2. Select Configure Proxy, and confirm that you wish to configure the HTTP/HTTPS/FTP Proxy server. 3. Enter the FQDN (without underscores), IP address and port of the proxy server. - 206 - CHAPTER 22 Network Configuration OVOC | IOM 4. Enter the Proxy username and password. 5. Enter "No Proxy" addresses (a list of IP addresses for connecting directly from OVOC and not through a proxy server). Figure 22-14: Proxy Settings HTTPS Proxy server is currently not supported. SNMP Agent The SNMP Management agent enables access to system inventory and monitoring and provides support for alarms using the industry standard management protocol: Simple Network Management Protocol (SNMP). This agent serves OVOC, NMS, or higher level management system synchronization. This menu includes the following options: Stop and start the SNMP agent Configure the SNMP agent including: Configure the SNMP agent listening port (SNMP Agent Listening Port on the next page) Configure the northbound destination for linux system traps forwarding (Linux System Trap Forwarding Configuration on page 209). Configure the SNMPv3 Engine ID (Server SNMPv3 Engine ID on page 209) To configure SNMP Agent: 1. From the Network Configuration menu, choose SNMP Agent, and then press Enter. - 207 - CHAPTER 22 Network Configuration Figure 22-15: SNMP Agent OVOC | IOM The SNMP Agent status is displayed. To start the SNMP Agent: Choose option 2. To configure SNMP Agent: 1. Choose option 1. Figure 22-16: Configure SNMP Agent SNMP Agent Listening Port The SNMP Agent Listening port is a bi-directional UDP port used by the SNMP agent for listening for traps from managed devices. You can change this listening port according to your network traffic management setup. To configure SNMP Agent Listening port 1. Choose option 1. - 208 - CHAPTER 22 Network Configuration Figure 22-17: SNMP Agent Listening Port OVOC | IOM 2. Configure the desired listening port (default 161). Linux System Trap Forwarding Configuration This option enables you to configure the northbound interface for forwarding Linux system traps. To configure the Linux System Traps Forwarding Configuration: 1. Choose option 2. 2. Configure the NMS IP address. 3. Enter the Community string; the new configuration is applied. Server SNMPv3 Engine ID The OVOC server Engine ID is used by the SNMPv3 protocol when alarms are forwarded from the OVOC to an NMS. By default, the OVOC server SNMPv3 Engine ID is automatically created from the OVOC server IP address. This option enables the user to customize the OVOC server Engine ID according to their NMS configuration. To configure the SNMPv3 Engine ID: 1. From the Network Configuration menu, choose SNMPv3 Engine ID, and then press Enter; the following is displayed: Figure 22-18: OVOC Server Manager Configure SNMPv3 Engine ID - 209 - CHAPTER 22 Network Configuration OVOC | IOM 2. Enter '12' separate bytes ranges of the Engine ID (each valid range from between -128 to 127). In each case, press Enter to confirm the current value insertion and then proceed to the next one. 3. When all Engine ID bytes are provided, type y to confirm the configuration. To return to the root menu of the OVOC Server Manager, press q. Figure 22-19: SNMPv3 Engine ID Configuration Complete Configuration - 210 - CHAPTER 23 NTP & Clock Settings OVOC | IOM 23 NTP & Clock Settings This chapter describes how to configure the NTP clock source and the OVOC server system clock. 1. From the OVOC server Manager menu, choose Date & Time. Figure 23-1: Date & Time Settings Figure 23-2: This menu includes the following options: NTP (see NTP below) Timezone Settings (Timezone Settings on page 214) Date & Time Settings (Date and Time Settings on page 216) NTP Network Time Protocol (NTP) is used to synchronize the time and date of the OVOC server and all its components with connected devices in the IP network. This option enables you to do the following: Configure the OVOC server to obtain its clock from an external NTP clock source. Other devices that are connected to the OVOC server in the IP network can synchronize with this clock source. These devices may be any device containing an NTP server or client. Configure the OVOC server as the NTP server source (Stand-alone NTP server) and allow other clients and subnets in the IP network to synchronize to this source. - 211 - CHAPTER 23 NTP & Clock Settings OVOC | IOM It is recommended to configure the OVOC server to synchronize with an external clock source because the OVOC server clock is less precise than other NTP devices. For example, for Cloud deployments, it is recommended to configure the Microsoft Azure or Amazon AWS platforms as the external clock source. Configure the same NTP server IP address/domain name and other relevant settings on both the OVOC server and on the the AudioCodes device (Setup > Administration > Time & Date). When connecting OVOC to Skype For Business, ensure that the same NTP server clock source is configured on both ends. To configure NTP: 1. From the Date & Time menu, choose NTP, and then press Enter; the following is displayed: Figure 23-3: OVOC Server Manager - Configure NTP 2. From the NTP menu, choose Configure NTP. 3. At the prompt, do one of the following: Type y for the OVOC server to act as both the NTP server and NTP client. Enter the IP address or domain name of the NTP servers to serve as the clock reference source for the NTP client (Up to four NTP servers can be configured). The NTP process daemon starts and the NTP status information is displayed on the screen. - 212 - CHAPTER 23 NTP & Clock Settings Figure 23-4: External Clock Source OVOC | IOM Type n for the OVOC server to function as a Stand-alone NTP server. The NTP process daemon starts and the NTP status information is displayed on the screen. Figure 23-5: Local Clock Source Stopping and Starting the NTP Server This section describes how to stop and start the NTP server. - 213 - CHAPTER 23 NTP & Clock Settings OVOC | IOM To start NTP services: From the NTP menu, choose option 2, and then choose one of the following options: If NTP Service is on: Stop NTP If NTP Service is off: Start NTP The NTP daemon process starts; when the process completes, you return to the NTP menu. Restrict Access to NTP Clients When the OVOC server is configured as a Stand-alone NTP server, you configure NTP rules to authorize which clients can synchronize with the OVOC NTP clock. To allow access to NTP clients: From the NTP menu, choose option Restrict Access to NTP Clients to allow or restrict access to NTP clients; the screen is updated accordingly. Activate DDoS Protection This option enables you to activate DDos protection for preventing Distributed Denial of Service attacks on the OVOC server. For example, attacks resulting from security scans. This is relevant for both when the OVOC server is configured as a Stand-alone clock source and when an external clock source is used. To activate DDoS protection: From the NTP menu, select Activate/Deactivate DDoS Protection. Authorizing Subnets to Connect to OVOC NTP When the OVOC server is configured as a Stand-alone NTP server, you can configure NTP rules to authorize which subnets can synchronize with the OVOC NTP clock. To authorize subnets: From the NTP menu, select Add Authorized Subnet to Sync by NTP To remove authorized subnet from NTP rules: From the NTP menu, select Remove Subnet from NTP Rules. Timezone Settings This option enables you to change the timezone of the OVOC server. - 214 - CHAPTER 23 NTP & Clock Settings OVOC | IOM The Apache server is automatically restarted after the timezone changes are confirmed. To change the system timezone: 1. From the Date & Time menu, choose Time Zone Settings, and then press Enter. 2. Enter the required time zone. 3. Type y to confirm the changes; the OVOC server restarts the Apache server for the changes to take effect. - 215 - CHAPTER OVOC | IOM Date and Time Settings You can set the date and time for the OVOC server system clock. To configure data and time: 1. From the Date & Time menu, select Date & Time Settings, and then press Enter. Figure 24-1: New Server Time 2. Enter the new time as shown in the following example: mmddHHMMyyyy.SS : month(08),day(16),Hour(16),Minute(08),year(2007),"." Second. - 216 - CHAPTER 25 Security OVOC | IOM 25 Security The OVOC Management security options enable you to perform security actions, such as configuring the SSH Server Configuration Manager, and user's administration. To configure security settings: From the OVOC Server Manager root menu, choose Security, and then press Enter, the following is displayed: Figure 25-1: Security Settings This menu includes the following options: Add OVOC User (OVOC User on the next page) SSH (SSH on the next page) Oracle DB Password (DB Password) Cassandra Password (Cassandra Password on page 226) OS Users Password (OS Users Passwords on page 227) HTTP Security Settings ( HTTPS SSL TLS Security on page 233) Server Certificate Update (Server Certificates Update on page 234) File Integrity Checker (File Integrity Checker on page 230) Software Integrity Checker (AIDE) and Pre-linking (Software Integrity Checker (AIDE) and Pre-linking on page 231) USB Storage (USB Storage on page 231) Network options (Network Options on page 232) Audit Agent Options (Auditd Options on page 233) OVOC Voice Quality Package (OVOC Voice Quality Package - SBC Communication on page 239) - 217 - CHAPTER 25 Security OVOC | IOM OVOC User This option enables you to add a new administrator user to the OVOC server database. This user can then log into the OVOC client. This option is advised to use for the operator's definition only in cases where all the OVOC application users are blocked and there is no way to perform an application login. To add an OVOC user: 1. From the Security menu, choose Add OVOC User, and then press Enter. 2. Enter the name of the user you wish to add. 3. Enter a password for the user. 4. Type y to confirm your changes. Note and retain these passwords for future access. SSH This section describes how to configure the OVOC server SSH connection properties using the SSH Server Configuration Manager. To configure SSH: 1. From the Security menu, choose SSH; the following is displayed: Figure 25-2: SSH Configuration This menu includes the following options: Configure SSH Log Level (SSH Log Level on the next page). Configure SSH Banner (SSH Banner on the next page). Configure SSH on Ethernet Interfaces (SSH on Ethernet Interfaces on page 220). - 218 - CHAPTER 25 Security OVOC | IOM Disable SSH Password Authentication (Enable/Disable SSH Password Authentication on page 222). Enable SSH Ignore User Known Hosts Parameter (Enable SSH IgnoreUserKnownHosts Parameter on page 222). Configure SSH Allowed Hosts (SSH Allowed Hosts on page 223). SSH Log Level You can configure the log level of the SSH daemon server. The log files are found at the location '/var/log/secure' (older records are stored in secure.1, secure.2 etc.). To configure the SSH Log Level: 1. From the SSH menu, choose option 1, and then press Enter; the following is displayed. Figure 25-3: SSH Log Level Manager 2. To configure the desired log level, choose the number corresponding to the desired level from the list, and then press Enter. The SSH daemon restarts automatically. The Log Level status is updated on the screen to the configured value. SSH Banner The SSH Banner displays a pre-defined text message each time the user connects to the OVOC server using an SSH connection. You can customize this message. By default this option is disabled. To configure the SSH banner: 1. From the SSH menu, choose option 2, and then press Enter; the following is displayed: - 219 - CHAPTER 25 Security Figure 25-4: SSH Banner Manager OVOC | IOM 2. Edit a '/etc/issue' file with the desired text. 3. Choose option 1 to enable or disable the SSH banner. Whenever you change the banner state, SSH is restarted. The 'Current Banner State' is displayed in the screen. SSH on Ethernet Interfaces You can allow or deny SSH access separately for each network interface enabled on the OVOC server. To configure SSH on Ethernet interfaces: From the SSH menu, choose option 3, and then press Enter; the following is displayed: Figure 25-5: Configure SSH on Ethernet Interfaces This menu includes the following options: Add SSH to All Ethernet Interfaces (Add SSH to All Ethernet Interfaces on the next page). Add SSH to Ethernet Interface (Add SSH to Ethernet Interface on the next page). - 220 - CHAPTER 25 Security OVOC | IOM Remove SSH from Ethernet Interface (Remove SSH from Ethernet Interface below). Add SSH to All Ethernet Interfaces This option enables SSH access for all network interfaces currently enabled on the OVOC server. To add SSH to All Ethernet Interfaces: From the Configure SSH on Ethernet Interfaces menu, choose option 1, and then press Enter. The SSH daemon restarts automatically to update this configuration action. The column 'SSH Listener Status' displays ALL for all interfaces. Add SSH to Ethernet Interface This option enables you to allow SSH access separately for each network interface. To add SSH to Ethernet Interfaces: 1. From the Configure SSH on Ethernet Interfaces menu, choose option 2, and then press Enter. After entering the appropriate sub-menu, all the interfaces upon which SSH access is currently disabled are displayed. 2. Enter the appropriate interface number, and then press Enter. The SSH daemon restarts automatically to update this configuration action. The column 'SSH Listener Status' displays 'YES' for the configured interface. Remove SSH from Ethernet Interface This option enables you to deny SSH access separately for each network interface. To deny SSH from a specific Ethernet Interface: 1. From the Configure SSH on Ethernet Interfaces menu, choose option 3, and then press Enter. All the interfaces to which SSH access is currently enabled are displayed. 2. Enter the desired interface number, and then press Enter. The SSH daemon restarts automatically to update this configuration action. The column 'SSH Listener Status' displays 'No' for the denied interface. If you attempt to deny SSH access for the only enabled interface, a message is displayed informing you that such an action is not allowed. - 221 - CHAPTER 25 Security OVOC | IOM Enable/Disable SSH Password Authentication This option enables you to disable the username/password authentication method for all network interfaces enabled on the OVOC server. To disable SSH Password Authentication: 1. From the SSH menu, choose option 4, and then press Enter; the following is displayed: Figure 25-6: Disable Password Authentication 2. Type y to disable SSH password authentication or n to enable, and then press Enter. The SSH daemon restarts automatically to update this configuration action. Once you perform this action, you cannot reconnect to the OVOC server using User/Password authentication. Therefore, before you disable this authentication method, ensure that you provision an alternative SSH connection method. For example, using an RSA keys pair. For detailed instructions on how to perform such an action, see www.junauza.com or search the internet for an alternative method. Enable SSH IgnoreUserKnownHosts Parameter This option enables you to disable the use of the '$HOME/.ssh/known_host' file with stored remote servers fingerprints. To enable SSH IgnoreUserKnowHosts parameter: 1. From the SSH menu, choose option 5, and then press Enter; the following is displayed: Figure 25-7: SSH IgnoreUserKnowHosts Parameter - Confirm 2. Type y to change this parameter value to either 'YES' or 'NO' or type n to leave as is, and then press Enter. - 222 - CHAPTER 25 Security OVOC | IOM SSH Allowed Hosts This option enables you to define which hosts are allowed to connect to the OVOC server through SSH. To Configure SSH Allowed Hosts: From the SSH menu, choose option 6, and then press Enter; the following is displayed: Figure 25-8: Configure SSH Allowed Hosts This menu includes the following options: Allow ALL Hosts (Allow ALL Hosts below). Deny ALL Hosts (Deny ALL Hosts on the next page). Add Host/Subnet to Allowed Hosts ( Add Hosts to Allowed Hosts on the next page). Remove Host/Subnet from Allowed Hosts (Remove Host/Subnet from Allowed Hosts on page 225). Allow ALL Hosts This option enables all remote hosts to access this OVOC server through the SSH connection (default). To allow ALL Hosts: 1. From the Configure SSH Allowed Hosts menu, choose option 1, and then press Enter. 2. Type y to confirm, and then press Enter. The appropriate status is displayed in the screen. Deny ALL Hosts This option enables you to deny all remote hosts access to this OVOC server through the SSH connection. - 223 - CHAPTER 25 Security OVOC | IOM To deny all remote hosts access: 1. From the Configure SSH Allowed Hosts menu, choose option 2, and then press Enter. 2. Type y to confirm, and then press Enter. The appropriate status is displayed in the screen. When this action is performed, the OVOC server is disconnected and you cannot reconnect to the OVOC server through SSH. Before you disable SSH access, ensure that you have provisioned alternative connection methods, for example, serial management connection or KVM connection. Add Hosts to Allowed Hosts This option enables you to allow different SSH access methods to different remote hosts. You can provide the desired remote host IP, subnet or host name in order to connect to the OVOC server through SSH. To add Hosts to Allowed Hosts: 1. From the Configure SSH Allowed Hosts menu, choose option 3, and then press Enter; the following is displayed: Figure 25-9: Add Host/Subnet to Allowed Hosts 2. Choose the desired option, and then press Enter. 3. Enter the desired IP address, subnet or host name, and then press Enter. When adding a Host Name, ensure the following: Verify your remote host name appears in the DNS server database and your OVOC server has an access to the DNS server. Provide the host name of the desired network interface defined in "/etc/hosts" file. 4. Type y to confirm the entry, and then press Enter again. - 224 - CHAPTER 25 Security OVOC | IOM If the entry is already included in the list of allowed hosts, an appropriate notification is displayed. When the allowed hosts entry has been successfully added, it is displayed in the SSH Allow/Deny Host Manager screen as shown in the figure below: Figure 25-10: Add Host/Subnet to Allowed Hosts-Configured Host Remove Host/Subnet from Allowed Hosts If you have already configured a list of allowed hosts IP addresses, you can then remove one or more of these host addresses from the list. To remove an existing allowed host's IP address: 1. From the Configure SSH Allowed Hosts menu, choose option 1, and then press Enter; the following is displayed: 2. Choose the desired entry to remove from the Allowed Hosts list, i.e. to deny access to the OVOC server through SSH connection, and then press Enter again. 3. Type y to confirm the entry, and then press Enter again. When the allowed hosts entry has been successfully removed, it is displayed in the SSH Allow/Deny Host Manager screen as shown in the figure below: When you remove either the only existing IP address, Subnet or Host Name in the Allowed Hosts in the Allowed Hosts list, the configuration is automatically set to the default state "Allow All Hosts". Oracle DB Password This option enables you to change the default Oracle Database password "pass_1234". The OVOC server shuts down automatically before changing the Oracle Database password. - 225 - CHAPTER 25 Security OVOC | IOM To change the DB Password: 1. From the Security menu, choose Oracle DB Password, and then press Enter; the OVOC server is rebooted. 2. Press Enter until the New Password prompt is displayed. Figure 25-11: OVOC Server Manager Change DB Password a. Enter the new password, which should be at least 15 characters long, contain at least two digits, two lowercase and two uppercase characters, two punctuation characters and should differ by one character from the previous passwords. The OVOC server is rebooted when you change the Oracle Database password. Note and retain these passwords for future access. It is not possible to restore these passwords or to enter the OVOC Oracle Database without them. 3. After validation, a message is displayed indicating that the password was changed successfully. Cassandra Password This section describes how to change the Cassandra password. To change the Cassandra Password: 1. From the Security menu, choose Cassandra DB Password, and then press Enter; the OVOC server is rebooted. 2. Press Enter until the New Password prompt is displayed. - 226 - CHAPTER 25 Security Figure 25-12: Change Cassandra Password OVOC | IOM 3. Enter the new password and confirm. OS Users Passwords This section describes how to change the OS password settings. To change OS passwords: 1. From the Security menu, choose OS Users Passwords, and then press Enter. 2. Proceed to one of the following procedures: General Password Settings (General Password Settings below). Operating System User Security Extensions (Operating System User Security Extensions on the next page). General Password Settings This option enables you to change the OS general password settings, such as 'Minimum Acceptable Password Length' and 'Enable User Block on Failed Login'. This feature also enables you to modify settings for a specific user, such as 'User's Password' and 'Password Validity Max Period'. To modify general password settings: 1. The Change General Password Settings prompt is displayed; type y, and then press Enter. 2. Do you want to change general password settings? (y/n)y 3. The Minimum Acceptable Password Length prompt is displayed; type 10, and then press Enter. Minimum Acceptable Password Length [10]: 10 4. The Enable User Block on Failed Login prompt is displayed; type y, and then press Enter. Enable User Block on Failed Login (y/n) [y] y 5. The Maximum Login Retries prompt is displayed; type 3, and then press Enter. Maximum Login Retries [3]: 3 - 227 - CHAPTER 25 Security OVOC | IOM 6. The Failed Login Locking Timeout prompt is displayed; type 900, and then press Enter. Failed Login Locking Timeout [900]:900 7. You are prompted if you wish to continue; type y, and then press Enter. Are you sure that you want to continue? (y/n/q) y 8. You are prompted if you wish to change the password for a specific user. Do you wish to change this user's password? 9. Enter the username whose password you wish to change. Enter Username [username] 10. Enter the new password and confirm. Operating System User Security Extensions This feature enables the administrator to configure the following additional user security extensions: Maximum allowed numbers of simultaneous open sessions. Inactivity time period (days) before the OS user is locked. To configure these parameters, in the OS Passwords Settings menu, configure parameters according to the procedure below (see also green arrows indicating the relevant parameters to configure ). To configure operating system users security extensions: 1. The Change General Password Settings prompt is displayed; type n, and then press Enter. Do you want to change general password settings ? (y/n) n 2. The Change password for a specific user prompt is displayed; type y, and then press Enter. Do you want to change password for specific user ? (y/n) y 3. Enter the Username upon which you wish to configure, and then press Enter. Enter Username [acems]: 4. The change User Password prompt is displayed; type n, and then press Enter. - 228 - CHAPTER 25 Security OVOC | IOM Do you want to change its password ? (y/n) n 5. An additional Password prompt is displayed, type y, and then press Enter. Do you want to change its login and password properties? (y/n) y 6. The Password Validity prompt is displayed; press Enter. Password Validity Max Period (days) [90]: 7. The Password Update prompt is displayed; press Enter. Password Update Min Period (days) [1]: 8. The Password Warning prompt is displayed; press Enter. Password Warning Max Period (days) [7]: 9. The Maximum number of Simultaneous Open Sessions prompt is displayed; enter the number of simultaneous open SSH connections you wish to allow for this user. Maximum allowed number of simultaneous open sessions [0]: 10. The Inactivity Days prompt is displayed; enter the number of inactivity days before the user is locked. For example, if you'd like to suspend a specific user if they have not connected to the OVOC server for a week, enter 7 days. Days of inactivity before user is locked (days) [0]: - 229 - CHAPTER 25 Security Figure 25-13: OS Passwords Settings with Security Extensions OVOC | IOM If the user attempts to open more than three SSH sessions simultaneously, they are prompted and immediately disconnected from the fourth session as displayed in the figure below. Figure 25-14: Maximum Active SSH Sessions By default you can connect through SSH to the OVOC server with user acems only. If you configure an inactivity days limitation on this user, the situation may arise, for example, where a user is away for an extended period and has no active user to access the OVOC server. Therefore, we strongly recommend to use this limitation very carefully and preferably to configure this option for each user to connect to the OVOC server through SSH other than with the acems user. File Integrity Checker The File Integrity checker tool periodically verifies whether file attributes were changed (permissions/mode, inode #, number of links, user id, group id, size, access time, modification time, creation/inode modification time). File Integrity violation problems are reported through OVOC Security Events. The File Integrity checker tool runs on the OVOC server machine. From the Security menu, choose File Integrity Checker, and then press Enter; the File Integrity Checker is started or stopped. - 230 - CHAPTER 25 Security OVOC | IOM Software Integrity Checker (AIDE) and Pre-linking AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. This mechanism creates a database from the regular expression rules that it finds in its configuration file. Once this database is initialized, it can be used to verify the integrity of the files. Pre-linking is designed to decrease process startup time by loading each shared library into an address for which the linking of needed symbols has already been performed. After a binary has been pre-linked, the address where the shared libraries are loaded will no longer be random on a per-process basis. This is undesirable because it provides a stable address for an attacker to use during an exploitation attempt. To start AIDE and disable pre-linking: 1. From the Security menu, choose Software Integrity Checker (AIDE) and Pre-linking; the current status of these two processes is displayed: Figure 25-15: Software Integrity Checker (AIDE) and Pre-linking 2. Do one of the following: Type y to enable AIDE and disable pre-linking Type n to disable AIDE and enable pre-linking. USB Storage This menu option allows enabling or disabling the OVOC server's USB storage access as required. To enable USB storage: 1. From the Security menu, choose USB Storage; the following prompt is displayed: - 231 - CHAPTER 25 Security Figure 25-16: USB Storage OVOC | IOM 2. Enable or disable USB storage as required. Network Options This menu option provides the following options to enhance network security: Ignore Internet Control Message Protocol (ICMP) Echo requests: This option ensures that the OVOC server does not respond to ICMP broadcasts, and therefore such replies are always discarded. This prevents attempts to discover the system using ping requests. Ignore ICMP Echo and Timestamp requests: This option ensures that the OVOC server does not respond to an ICMP timestamp request to query for the current time. This reduces exposure to spoofing of the system time. Send ICMP Redirect Messages: This option disables the sending of ICMP Redirect Messages, which are generally sent only by routers. Ignore ICMP Redirect Messages: This option ensures that the OVOC server does not respond to ICMP Redirect broadcasts, and therefore such replies are always discarded. This prevents an intruder from attempting to redirect traffic from the OVOC server to a different gateway or a non-existent gateway. To enable network options: 1. From the Security menu, choose Network Options; the following screen is displayed: - 232 - CHAPTER 25 Security Figure 25-17: Network Options OVOC | IOM 1. Set the required network options. Auditd Options Auditd is the userspace component to the Linux Auditing System that is responsible for writing audit records to the disk. Using the Auditd option, you can change the auditd tool settings to comply with the Security Technical Information Guidelines (STIG) recommendations. To set Auditd options according to STIG: 1. From the Security menu, choose Auditd Options; the following screen is displayed: Figure 25-18: Auditd Options 1. Enable or disable Auditd options as required. Audit records are saved in the following /var/log/audit/ directory. HTTPS SSL TLS Security This section describes the configuration settings for the HTTPS/SSL/TLS connections. The figure below shows the maximum security that can be implemented in the OVOC environment. - 233 - CHAPTER 25 Security Figure 25-19: OVOC Maximum Security Implementation OVOC | IOM The above figure shows all the HTTPS/SSL/TLS connections in the OVOC network. Use this figure as an overview to the procedures described below. Note that not all of the connections shown in the above figure have corresponding procedures. For more information, refer to the OVOC Security Guidelines document. This version supports TLS versions 1.0, 1.1, and 1.2. Server Certificates Update This menu option enables you to automatically generate custom SSL server certificates for securing connections between OVOC server and client processes. See . for an illustration of these connections. If you are using self-generated certificates and private key, you can skip to step 4. - 234 - CHAPTER 25 Security OVOC | IOM The procedure for server certificates update consists of the following steps: 1. Step 1: Generate Server Private Key. 2. Step 2: Generate Server Certificate Signing Request (CSR). 3. Step 3: Transfer the generated CSR file to your PC and send to CA. 4. Step 4: Transfer certificates files received from CA back to OVOC server. 5. Step 5: Import new certificates on OVOC server. 6. Step 6: Verify the installed Server certificate. 7. Step 7: Verify the installed Root certificate. 8. Step 8: Perform Supplementary procedures to complete certificate update process (refer to Appendix Supplementary Security Procedures on page 283). To generate server certificates: 1. From the Security menu, choose Server Certificates Update. Figure 25-20: Server Certificate Updates Information on the currently installed certificate is displayed (the currently installed certificate is the installation default). Step 1: Generate a server private key: 1. Select option 1. The following screen is displayed: - 235 - CHAPTER 25 Security Figure 25-21: Generate Server Private Key OVOC | IOM 2. Select the number of bits required for the server private key. 3. Enter and reenter the server private key password and type Y to continue. The private key is generated. Figure 25-22: Server Private Key Generated Step 2: Generate a CSR for the server: 1. Select option 2. 2. Enter the private key password (the password that you entered in the procedure above). 3. Enter the Country Name code, state or province, locality, organization name, organization unit name, common name (server host name) and email address. 4. Enter a challenge password and optionally a company name. You are notified that a server Certificate Signing Request has successfully been generated and saved to the specified location. - 236 - CHAPTER 25 Security Figure 25-23: Generating a Server Certificate Signing Request (CSR) OVOC | IOM Step 3: Transfer the CSR file to your PC and send to CA: Transfer the CSR file from the /home/acems/server_cert/server.csr directory to your PC and then sent it to the Certificate Authority (CA). For instructions on transferring files, see Appendix Transferring Files on page 295. Figure 25-24: Transfer CSR File to PC Step 4: Transfer server certificates from the CA: Transfer the files that you received from the CA to the /home/acems/server_certs directory. The root certificate should have the name root.crt and that the server certificate should have the name server.crt. If you received intermediate certificates, then rename them to ca1.crt and ca2.crt. Make sure that all certificates are in PEM format. For instructions on transferring files, see Appendix Transferring Files on page 295. - 237 - CHAPTER 25 Security OVOC | IOM Note: If your certificates are self- generated (you did not perform steps 1- 3), the /home/acems/server_certs directory does not exist; therefore you must create it using the following commands: mkdir /home/acems/server_certs chmod 777 /home/acems/server_certs Step 5: Import certificates: Select option 3 and follow the prompts. The certificate files are installed. The root certificate should be named root.crt and that the server certificate should be named server.crt. If you received intermediate certificates then rename them to ca1.crt and ca2.crt. Make sure that all certificates are in PEM format and appear as follows (see Verifying and Converting Certificates on page 296 for information on converting files): -----BEGIN CERTIFICATE----MIIBuTCCASKgAwIBAgIFAKKlMbgwDQYJKoZIhvcNAQEFBQAwFzEVMBMGA 1UEAxMM RU1TIFJPT1QgQ0EyMB4XDTE1MDUwMzA4NTE0MFoXDTI1MDUwMzA4NTE 0MFowKjET Tl6vqn5I27Oq/24KbY9q6EK2Yc3K2EAadL2IF1jnb+yvREuewprOz6TEEuxNJol0 L6V8lzUYOfHrEiq/6g==----END CERTIFICATE----- Step 6: Verify the installed server certificate: Select option 4. The installed server certificate is displayed: - 238 - CHAPTER 25 Security Figure 25-25: Installed Server Certificate OVOC | IOM Step 7: Verify the installed root certificate: Select Option 5. The installed root certificate is displayed: Figure 25-26: Installed Root Certificate Step 8: Install device certificates and perform supplementary procedures See Supplementary Security Procedures on page 283. OVOC Voice Quality Package - SBC Communication This option allows you to configure the transport type for the XML based OVOC Voice Quality Package communication from the OVOC managed devices to the OVOC server. You can enable the TCP port (port 5000), the TLS port (port 5001) connections or both port connections. To configure the OVOC Voice Quality Package - SBC Communication: 1. From the Security menu, select OVOC Voice Quality Package SBC Communication - 239 - CHAPTER 25 Security Figure 25-27: OVOC Voice Quality Package SBC Communication OVOC | IOM 2. Choose one of the following transport types: TCP (opens port 5000) TLS (opens port 5001) TLS/TCP (this setting opens both ports 5000 and 5001). HTTP Security Settings From the OVOC Server Managerroot menu, choose HTTP Security Settings. Figure 25-28: HTTP Security Settings This menu allows you to configure the following Apache server security settings: TLS Version 1.0 (TLS Version 1.0 on the next page) TLS Version 1.1 (TLS Version 1.1 on the next page) Show Allowed SSL Cipher Suites (Show Allowed SSL Cipher Suites on page 242) - 240 - CHAPTER 25 Security OVOC | IOM Edit SSL Cipher Suites Configuration String (Edit SSL Cipher Suites Configuration String on the next page) Restore SSL Cipher Suites Configuration Default (Restore SSL Cipher Suites Configuration Default on page 243) Manage HTTP Service (Port 80) (Manage HTTP Service Port (80) on page 243) Manage IPP Files Service (Port 8080) (Manage IPP Files Service Port (8080) on page 243) Manage IPPs HTTP (Port 8081) (Manage IPPs HTTP Port (8081) on page 244) Manage IPPs HTTPS (Port 8082) (Manage IPPs HTTPS Port (8082) on page 244) OVOC REST (Port 911) (OVOC Rest (Port 911) on page 244 Floating License REST (Port 912) (Floating License (Port 912) on page 244 OVOC WebSocket (Port 915) OVOC WebSocket (Port 915) on page 245 SBC HTTPS Authentication (SBC HTTPS Authentication Mode on page 245 ) Enable Device Manager Pro and NBIF Web Pages Secured Communication ( Enable Device Manager Pro and NBIF Web Pages Secured Communication on page 246) Change HTTP/S Authentication Password for NBIF Directory ( Change HTTP/S Authentication Password for NBIF Directory on page 246) TLS Version 1.0 This option enables/disables TLS Version 1.0 on port 443 (Apache server is restarted). To enable or disable TLS Version 1.0: From the HTTP Security Settings menu, select option Enable TLSv1.0 for Apache. When TLS Version 1.1 is disabled, TLS Version 1.0 is also disabled. Likewise, if TLS Version1.0 is enabled, TLS Version 1.1 is also enabled. Apache server is restarted. Default (enabled). TLS Version 1.1 This option enables/disables TLS Version 1.1 on port 443 (Apache server is restarted). To enable or disable TLS Version 1.1: From the HTTP Security Settings menu, select option Enable TLSv1.1 for Apache. Default (enabled). Apache server is restarted. When TLS Version 1.1 is disabled, TLS Version 1.0 is also disabled. Likewise, if TLS Version 1.0 is enabled, TLS Version 1.1 is also enabled. - 241 - CHAPTER 25 Security OVOC | IOM Show Allowed SSL Cipher Suites This option allows you to view the currently configured SSL cipher suites. To show allowed SSL cipher suites: 1. From the HTTP Security Settings menu, select option Show Allowed SSL Cipher Suites. The currently configured SSL cipher suites are displayed. The overall figure indicates the total number of entries. Figure 25-29: Show Allowed SSL Cipher Suites Edit SSL Cipher Suites Configuration String This option allows you to edit the SSL Cipher Suites configuration string. To edit the SSL cipher suites configuration string: 1. From the HTTP Security Settings menu, select option Edit SSL Cipher Suites Configuration String. - 242 - CHAPTER 25 Security Figure 25-30: Show SSL Cipher Suites Configuration OVOC | IOM 2. Edit the new configuration and select y to apply the changes. 3. Run the Show Allowed SSL Cipher Suites command to display the new configuration. Restore SSL Cipher Suites Configuration Default This option allows you to restore the SSL Cipher Suites to the OVOC default values. To restore the SSL Cipher Suites Configuration default: From the HTTP Security Settings menu, select Restore SSL Cipher Suites Configuration Default. Manage HTTP Service Port (80) To open/close HTTP Service (Port 80): In the HTTP Security Settings menu, choose option Open/Close HTTP Service (Port 80), and then press Enter. This HTTP port is used for the connection between the OVOC server and all AudioCodes devices with the Device Manager Pro Web browser Manage IPP Files Service Port (8080) To open/close IPPs files service (port 8080): In the HTTP Security Settings menu, choose option Open/Close IPPs files(Port 8080), and then press Enter. This HTTP port is used for downloading firmware and configuration files from the OVOC server to the endpoints. - 243 - CHAPTER 25 Security OVOC | IOM This option is reserved for backward compatibility with older device versions. Manage IPPs HTTP Port (8081) To open/close IPPs HTTP (Port 8081): In the HTTP Security Settings menu, choose option Open/Close IPPs HTTP (Port 8081), and then press Enter. This HTTP port is used for sending REST updates from the endpoints to the OVOC server, such as alarms and statuses. This option is reserved for backward compatibility with older device versions. Manage IPPs HTTPS Port (8082) To open/close IPPs HTTPS (Port 8082): In the HTTP Security Settings menu, choose option Open/Close IPPs HTTPS (Port 8082), and then press Enter. This HTTPS port is used for sending secure REST updates from the endpoints to the OVOC server, such as alarms and statuses (HTTPS without certificate authentication). This option is reserved for backward compatibility with older device versions. OVOC Rest (Port 911) This option allows you to open and close the REST port connection for (internal) port and server debugging. To configure OVOC REST: 1. From the HTTP Security Settings menu, choose option Open/Close OVOC REST (Port 911). Floating License (Port 912) This option allows you to open and close the Floating license REST service (internal) and Floating license service debugging. To open/close the Floating License port: 1. From the HTTP Security Settings menu, choose option Open/Close Floating License REST (Port 912). - 244 - CHAPTER 25 Security OVOC | IOM OVOC WebSocket (Port 915) This option allows you to open and close the OVOC WebSocket (Port 915) connection between the Websocket client and OVOC server. To open/close the WebSocket port: 1. From the HTTP Security Settings menu, choose option Open/Close OVOC WebSocket (Port 915). SBC HTTPS Authentication Mode This option enables you to configure whether certificates are used to authenticate the connection between the OVOC server and the devices in one direction or in both directions: Mutual Authentication: the OVOC authenticates the device connection request using certificates and the device authenticates the OVOC connection request using certificates. When this option is configured: The same root CA must sign the certificate that is loaded to the device and certificate that is loaded to the OVOC server. Mutual authentication must also be enabled on the device ( Step 5: Configure HTTPS Parameters on the Device on page 287). One-way Authentication option: the OVOC does not authenticate the device connection request using certificates; only the device authenticates the OVOC connection request. You can use the procedure described in Server Certificates Update on page 234 to load the certificate file to the OVOC server. To enable HTTPS authentication: 1. In the HTTP Security Settings menu, choose the SBC HTTPS Authentication option. - 245 - CHAPTER 25 Security Figure 25-31: SBC HTTPS Authentication OVOC | IOM 2. Choose one of the following options: 1-Set Mutual Authentication 2. Set One-Way Authentication Enable Device Manager Pro and NBIF Web Pages Secured Communication This menu option enables you to secure the connection between the Device Manager Server and NBIF Web pages and the Apache server over HTTPS. When this option is enabled, the connection is secured through HTTPS port 443 (instead of port 80-HTTP). To secure connection the Device Manager Pro and NBIF Web pages connection: From the HTTP Security Settings menu, choose IP Phone Manager and NBIF Web pages Secured Communication; the connection is secured. Change HTTP/S Authentication Password for NBIF Directory This option enables you to change the password for logging to the OVOC client from a NBIF client over an HTTP/S connection. The default user name is "nbif" and default password is "pass_1234". To change the HTTP/S authentication password: 1. From the HTTP Security Settings menu, select Change HTTP/S Authentication Password for NBIF Directory. You are prompted to change the HTTP/S authentication password. Enter y to change the password. - 246 - CHAPTER 25 Security Figure 25-32: Change HTTP/S Authentication Password for NBIF Directory OVOC | IOM 2. Enter the new password. 3. Reenter the new password. A confirmation message is displayed and the Apache server is restarted. - 247 - CHAPTER 26 Diagnostics OVOC | IOM 26 Diagnostics This section describes the diagnostics procedures provided by the OVOC Server Manager. To run OVOC server diagnostics: From the OVOC Server ManagerRoot menu, choose Diagnostics, and then press Enter, the following is displayed: Figure 26-1: Diagnostics This menu includes the following options: Server Syslog Configuration (Server Syslog Configuration below). Devices Syslog Configuration (Devices Syslog Configuration on page 250). Devices Debug Configuration (Devices Debug Configuration on page 251). ServerLogger Levels (Server Logger Levels on page 252) Network Traffic Capture (see Network Traffic Capture on page 253) Server Syslog Configuration This section describes how to send OVOC server Operating System (OS)-related syslog EMERG events to the system console and other OVOC server OS related messages to a designated external server. To send EMERG event to the syslog console and other events to an external server: 1. From the Diagnostics menu, choose Server Syslog, and then press Enter. 2. To send EMERG events to the system console, type y, press Enter, and then confirm by typing y again. - 248 - CHAPTER 26 Diagnostics Figure 26-2: Syslog Configuration OVOC | IOM Figure 26-3: Forward Messages to an External Server 3. You are prompted to forward messages to an external server, type y, and then press Enter. If this is changed, the server is rebooted. 4. Type one of the following Facilities from the list (case-sensitive) or select the wildcard * to select all facilities in the list, and then press Enter: auth and authpriv: for authentication; cron: comes from task scheduling services, cron and atd; daemon: affects a daemon without any special classification (DNS, NTP, etc.) ftp: concerns the FTP server; - 249 - CHAPTER 26 Diagnostics OVOC | IOM kern: message coming from the kernel; lpr: comes from the printing subsystem; mail: comes from the e-mail subsystem; news: Usenet subsystem message (especially from an NNTP -- Network News Transfer Protocol -- server that manages newsgroups); syslog: messages from the syslogd server, itself; user: user messages (generic); uucp: messages from the UUCP server (Unix to Unix Copy Program, an old protocol notably used to distribute e-mail messages); local0 to local7: reserved for local use. 5. Each message is also associated with a Severity or priority level. Type one of the following severities (in decreasing order) and then press Enter: emerg: "Help!" There's an emergency, the system is probably unusable. alert: hurry up, any delay can be dangerous, action must be taken immediately; crit: conditions are critical; err: error; warn: warning (potential error); notice: conditions are normal, but the message is important; info: informative message; debug: debugging message. 6. Type the external server Hostname or IP address to which you wish to send the syslog. Devices Syslog Configuration The capture of the device's Syslog can be logged directly to the OVOC server without the need for a third-party Syslog server in the same local network. The OVOC Server Manageris used to enable this feature. Syslog is captured according to the device's configured Syslog parameters. For more information, see the relevant device User's manual. The user needs to also enable the monitored device to send syslog messages to the standard syslog port (UDP 514) on the OVOC server machine. The syslog log file 'syslog' is located in the following OVOC server directory: /data/NBIF/mgDebug/syslog - 250 - CHAPTER 26 Diagnostics OVOC | IOM The syslog file is automatically rotated once a week or when it reaches 100 MB. Up to four syslog files are stored. To enable device syslog logging: 1. From the Diagnostics menu, choose Devices Syslog, and then press Enter. 2. You are prompted whether you wish to send EMER events to system console; type Y or N. 3. You are prompted whether you wish to send events to an external server; type Y or N. Devices Debug Configuration Debug recordings packets from all managed machines can be logged directly to the OVOC server without the need for a 3rd party network sniffer in the same local network. Debug recording packets are collected according to the AudioCodes device's configured Debug parameters. For more information, see the relevant device User's Manual. The OVOC server runs the Wireshark network sniffer, which listens on a particular configured port. The sniffer records the packets to a network capture file in the Debug Recording (DR) directory. You can then access this file from your PC through FTP. The OVOC Server Manageris used to enable this feature. The user should configure the monitored device to send its debug record messages to a specific port (UDP 925) on the OVOC server IP. The DR capture file is located in the following OVOC server directory: /data/NBIF/mgDebug/DebugRecording The file `TPDebugRec<DATE>.cap' is saved for each session. The user is responsible for closing (stopping) each debug recording session. In any case, each session (file) is limited to 10MB or one hour of recording (the first rule which is met causes the file to close i.e. if the file reaches 10MB in less than an hour of recording, it is closed). A cleanup process is run daily, deleting capture files that are 5 days old. The user is able to retrieve this file from the OVOC server and open it locally on their own PC using Wireshark with the debug recording plug-in installed (Wireshark version 1.6.2 supports the Debug Recording plug-in). To enable or disable devices debug: 1. From the Diagnostics menu, choose Devices Debug, and then press Enter. A message is displayed indicating that debug recording is either enabled or disabled. 2. Type y, and then press Enter. Recording files are saved in /data/NBIF/mgDebug directory on the server. - 251 - CHAPTER 26 Diagnostics OVOC | IOM It is highly recommended to disable the 'TP Debug Recording' feature when you have completed recording because this feature heavily utilizes system resources. Server Logger Levels This option allows you to change the log level for the different OVOC server log directories. After completing the debugging, revert to the previous configuration to prevent over utilization of CPU resources. To change the <tc> server logger level: 1. From the Diagnostics menu, choose Logger Levels. 2. Enter the name of the log whose level you wish to change. 3. Enter the desired logger level. 4. Select Yes at the prompt to confirm the change. Figure 26-4: Server Logger Name and Level - 252 - CHAPTER 26 Diagnostics OVOC | IOM Network Traffic Capture Network traffic can be captured to a PCAP capture file according to a list of IP addresses and ports and a specified time period. The PCAP files can later be opened with a network sniffer program such as Wireshark. To capture TCP traffic: 1. From the Diagnostics menu, choose option Network Traffic Capture. Figure 26-5: Network Traffic Capture 2. Select option 1 Start tcpdump. 3. Select y to start the tcpdump. - 253 - CHAPTER 26 Diagnostics Figure 26-6: TCP Dump OVOC | IOM 4. Enter comma separated IP address (es) or accept the default "any" IP address. 5. Enter comma separated port (s) or accept the default "any". 6. Enter the capture time (in minutes). Default: network traffic for the last ten minutes is captured. 7. Select y to proceed. - 254 - CHAPTER 26 Diagnostics Figure 26-7: TCP Dump Running OVOC | IOM - 255 - Part VI Configuring the Firewall This part describes how to configure the OVOC firewall. CHAPTER 27 Configuring the Firewall OVOC | IOM 27 Configuring the Firewall The OVOC interoperates with firewalls, protecting against unauthorized access by crackers and hackers, thereby securing regular communications. You need to define firewall rules to secure communications for the OVOC client-server processes. Each of these processes use different communication ports. By default, all ports are open on the OVOC server side. When installing the OVOC server, you need to configure its network and open the ports in your Enterprise LAN according to your site requirements; based on the firewall configuration rules (representing these port connections) that are described in the table and figure below. Table 27-1: Firewall Configuration Rules Connection Port Type Secured Port Connection Number Purpose Port side / Flow Direction OVOC clients and OVOC server TCP/IP client TCP OVOC server 22 SSH OVOC server communication side / Bi- between OVOC directional. server and TCP/IP client. Initiator: client PC HTTPS/NBIF Clients OVOC server TCP (HTTPS) 443 Connection for OVOC server OVOC/ NBIF side / Bi- clients. directional Initiator: Client REST client TCP × (HTTP) 911 Connection for OVOC server OVOC server side / Bi- REST (internal) directional port and server debugging. Initiator (internal): OVOC server Initiator (debugging): RES T client TCP × (HTTP) 912 Floating license OVOC server REST service side / Bi- - 257 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Port Type Secured Port Connection Number Purpose Port side / Flow Direction (internal) communication and Floating license service debugging. Initiator (internal): OVOC server Initiator (debugging): REST client directional Microsoft TCP Teams OVO- (HTTPS) C Com- munication 5010 Connection to OVOC server Microsoft Teams side / Receive Intiator: only Microsoft Teams WebSocket TCP Client (HTTP) OVOC Server Communicatio n 915 WebSocket OVOC server Client and OVOC side / Bi- Server directional communication (internal) according to RFC 6455, used for managing the alarm and task notification mechanism in the OVOC Web. Initiator (internal): WebSocket Client OVOC server and OVOC Managed Devices Device UDP OVOC server (SNMP) 1161 Keep-alive - OVOC server SNMP trap side / listening port Receive only (used - 258 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Device OVOC server (NTP Server) Port Type Secured Port Connection Number Purpose Port side / Flow Direction predominantly for devices located behind a NAT). Used also by Fixed License Pool and Floating License Service. Initiator: AudioCodes device UDP 162 SNMP trap OVOC server listening port on side / the OVOC. Receive only Initiator: AudioCodes device UDP 161 SNMP Trap MG side / Manager port on the device that is used to send Bidirectional traps to the OVOC server. Used also by Fixed License Pool and Floating License Service. Initiator: OVOC server UDP û (NTP server) 123 NTP server Both sides / synchronization for external clock. Bidirectional Initiator: MG (and OVOC server, if - 259 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Port Type Secured Port Connection Number Purpose Port side / Flow Direction configured as NTP client) Initiator: Both sides Device OVOC server TCP û (HTTP) 80 HTTP connection OVOC server for files transfer and REST communication. side / Bidirectional Initiator: OVOC server TCP (HTTPS) 443 HTTPS OVOC server connection for files transfer (upload and download) and side / Bidirectional REST communication. Initiator: OVOC server Device OVOC server Floating License Management TCP (HTTPS) 443 HTTPS OVOC server connection for side / Bi- files transfer directional (upload and download) and REST communication for device Floating License Management. Initiator: Device Devices Managed by the Device Manager OVOC server Device Manager Pro TCP û (HTTP) 80 HTTP connection OVOC server between the side / Bi- OVOC server Directional. and the Device Manager Pro - 260 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection OVOC server Endpoints (used for backward compatibility) Port Type Secured Port Connection Number Purpose Port side / Flow Direction Web browser. Initiator: Client browser HTTP connection that is used by endpoints for downloading firmware and configuration files from the OVOC server. Initiator: Endpoint TCP (HTTPS) 443 HTTPS OVOC server connection side / Bi- between the Directional OVOC server and the Device Manager Pro Web browser. Initiator: Client browser HTTPS connection used by endpoints for downloading firmware and configuration files from the OVOC server. Initiator: Endpoints TCP û (HTTP) 8080 HTTP connection OVOC server that is used by side / Bi- endpoints for directional downloading firmware and - 261 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Port Type Secured Port Connection Number Purpose Port side / Flow Direction configuration files from the OVOC server. Initiator: Endpoint TCP û (HTTP) 8081 HTTP REST updates connection. OVOC server side / Bidirectional It is recommended to use this connection when managing more than 5000 IP Phones. In this case, you should change the provisioning URL port from 80 to 8081 in the phone's configuration file. Initiator: Endpoint TCP (HTTPS) 8082 HTTPS REST OVOC server updates side / Bi- connection directional (encryption only without SSL authentication). It is recommended to use this connection when managing more than 5000 IP Phones. In - 262 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Port Type Secured Port Connection Number Purpose Port side / Flow Direction this case, you should change the provisioning URL port from 443 to 8082 in the phone's configuration file. Initiator: Endpoint OVOC Voice Quality Package Server and Devices Media TCP û Gateways Voice Quality Package 5000 XML based OVOC server communication side / Bi- for control, directional media data reports and SIP call flow messages. Initiator: Media Gateway TCP (TLS) 5001 XML based TLS OVOC server secured side / Bi- communication directional for control, media data reports and SIP call flow messages. Initiator: AudioCodes device Skype for Business MS-SQL Server OVOC Voice TCP Quality Package server Skype for 1433 Connection Skype for between the Business OVOC server SQL server and the MS-SQL side / - 263 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Port Type Secured Port Connection Number Purpose Port side / Flow Direction Business MSSQL Server Skype for Business Server. This port should be configured with SSL. Initiator: OVOC server Bi-directiona l LDAP Active Directory Server Voice Quality TCP û Package Active Directory LDAP server (Skype for Business user authentication) 389 Connection Active between the Directory Voice Quality server side/ Package server Bi-directiona and the Active l Directory LDAP server. Initiator: OVOC server TCP (TLS) 636 Connection Active between the Directory Voice Quality Package server and the Active Directory LDAP server side/ Bi-directiona l server with SSL configured. Initiator: OVOC server OVOC server TCP û Active Directory LDAP server (OVOC user authentication) 389 Connection Active between the Directory OVOC server server side/ and the Active Bi-directiona Directory LDAP l server (OVOC Users). Initiator: OVOC server - 264 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Port Type TCP (TLS) Secured Port Connection Number Purpose 636 Connection between the OVOC server and the Active Directory LDAP server (OVOC Users) with SSL configured. Initiator: OVOC server Port side / Flow Direction Active Directory server side/ Bi-directiona l RADIUS Server OVOC server TCP û RADIUS server AudioCodes Floating License Service OVOC server TCP AudioCodes Floating License Service External Servers OVOC server TCP û Mail Server 1812 Direct OVOC server connection side / Bi- between the directional OVOC server and the RADIUS server (when OVOC user is authenticated using RADIUS server). Initiator: OVOC server 443 HTTPS for OVOC REST OVOC/ Cloud client side / Service Bi- Initiator: OVOC directional REST client 25 Trap Forwarding Mail server to Mail server side / Bi- Initiator: OVOC directional server - 265 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection OVOC server Syslog Server OVOC server Debug Recording Server Port Type TCP UDP Secured Port Connection Number Purpose Port side / Flow Direction û 514 Trap Forwarding Syslog to Syslog server. server side Initiator: OVOC /Bi- server directional û 925 Trap Forwarding Debug to Debug Recording Recording server /Bi- server. directiona Initiator: OVOC server Voice Quality Voice Quality UDP û Package Endpoints (RFC 6035 ) 5060 SIP Publish SEM server / reports sent to Bi-directiona the SEM server l from the endpoints, including RFC 6035 SIP PUBLISH for reporting device voice quality metrics. Initiator: Endpoint Table 27-2: Northbound Interfaces Flows: NOC/OSS OVOC Source IP Address Range NOC/OSS Destination IP Address Range OVOC Protocol SFTP FTP SSH Secure û Source Port Range 1024 65535 1024 65535 1024 65535 Destination Port Range 20 21 22 - 266 - CHAPTER 27 Configuring the Firewall OVOC | IOM Telnet NTP û 1024 - 23 65535 û 123 123 HTTP/HTTPS û/ SNMP (UDP) Set for û the Active alarms Resync feature. TCP connection for û Data Analytics DB Access Initiator: DB Access client This port is open when the "Data Analytics" Voice Quality feature license has been purchased and the feature has been enabled (see Analytics API on page 187) N/A 80/443 N/A 161 N/A 1521 Table 27-3: OAM Flows: OVOC NOC/OSS Source IP Address Range Destination IP Address Range Protocol Secure Source Port Range Destination Port Range - 267 - CHAPTER 27 Configuring the Firewall OVOC | IOM OVOC NOC/OSS NTP û SNMP (UDP) û Trap SNMP (UDP) û port for the Active alarms Resync feature SNMP (UDP) û port for alarm forwarding 123 123 1024 162 65535 1164 - - 1174 1180- - 1220 Figure 27-1: Firewall Configuration Schema The above figure displays images of devices. For the full list of supported products, see Managed VoIP Equipment on page 3. Configuring Firewall for Cloud Architecture Mode When the OVOC server is deployed in a public cloud and the Cloud Architecture feature is enabled (see Configure OVOC Cloud Architecture Mode on page 115), all proprietary connections between SBC devices and the OVOC server are bundled into an HTTP/S tunnel overlay network over ports 80/443, therefore these ports must be open on the Enterprise firewall. Configuring other Enterprise firewall rules for SBC and OVOC server connections is not necessary. - 268 - CHAPTER 27 Configuring the Firewall OVOC | IOM Configuring Firewall for NAT Deployment The table below describes the mandatory firewall rules to configure in the Enterprise firewall for connecting devices behind a NAT as described in Section Managing Device Connections on page 113. Configuration Option SBC Devices Ports to Configure Port side / Flow Direction Cloud Architecture Mode (Device > OVOC Server) TCP HTTP 80 TCP HTTPS 443 OVOC server side / Bi-directional OVOC Server NAT Mode (OVOC > Devices) SNMP UDP port 1161 OVOC server side / Receive only SNMP UDP port 162 OVOC server side / Receive only TCP 5000 OVOC server side / Bi-directional TCP 5001 (Voice Quality Management over TLS) OVOC server side / Bi-directional NTP 123 NTP server port (configure the OVOC server's Public IP address as the NTP server) Both sides / Bi-directional Phones Device Manager Agent TCP HTTPS Port 443 OVOC server side / Bi-Directional Configuring Firewall for Service Provider Cluster The table below describes the ports for the OVOC Service Provider Cluster mode.This table is applicable for the Management Server when Service Provider Cluster mode is enabled. - 269 - CHAPTER 27 Configuring the Firewall OVOC | IOM Table 27-4: OVOC Service Provider Cluster Mode Connection Type Ports to Configure Access Secured OVOC Clients and OVOC Server HTTP/REST 80 Public û (MGMT) 443 Public (MGMT) REST 911 Private û (MGMT) Floating License 912 Private û (MGMT) Websocket 915 Private û (MGMT) OVOC Server and Managed Devices SNMP / Traps 1161 Public (MGMT) (v3) SNMP 161 Public (MGMT) (v3) SNMP Traps 162 Public (MGMT) (v3) Port side / Flow Direction OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional - 270 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Type NTP Ports to Configure Access 123 Public (MGMT) PM Server and Managed Devices HTTP REST connection 80 used for polling managed devices. Public (MGMT) HTTPS REST connection 443 used for polling managed devices. Public (MGMT) OVOC Voice Quality Package and SIP Publish Voice Quality Package 5000 Public (MGMT) 5001 Public (MGMT) SIP 6035 5060 Public (MGMT) Phones IPP Files 8080 Public (MGMT) IPP REST 8081 Public (MGMT) Secured û Port side / Flow Direction OVOC Management server side / Bidirectional û OVOC Management server side / Send only OVOC Management server side / Send only û OVOC Man- agement server side / Receive only OVOC Management server side / Receive only û OVOC Management server side / Receive only û OVOC Management server side / Bi- directional û OVOC Management - 271 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Type IPP REST External Servers Skype for Business LDAP LDAP RADIUS Mail Server (forwarding) Syslog Server Dedicated Cluster Node Ports Akka platform used for Ports to Configure Access Secured 8082 Public (MGMT) 1433 Skype For Business Server 389 LDAP û Server 636 LDAP Server 1812 On RADIUS û Server 25 Mail Server û 514 Syslog û Server 2551..2555 Private (All) û Port side / Flow Direction server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional OVOC Management server side/ Bidirectional OVOC Management server side / Bidirectional OVOC - 272 - CHAPTER 27 Configuring the Firewall OVOC | IOM Connection Type inter-process communication Java Database Connectivity (JDBC) used for communication with the PM server. Kafka platform used for inter-process communication ZooKeeper Ports to Configure Access Required access from cluster servers 1521 Private (MGMT) Secured û 9092 Private (All) û Required access from cluster servers 2181 Private (All) û Required access from cluster servers Port side / Flow Direction Management server side/ Bidirectional OVOC Management server side / Bidirectional Accessible only from other PM/VQM servers OVOC Management server side / Bidirectional OVOC Management server side / Bidirectional - 273 - Part VII Appendix This part describes additional OVOC server procedures. CHAPTER 28 Configuring RAID-0 for AudioCodes OVOC on HP ProLiant DL360p Gen10 Servers OVOC | IOM 28 Configuring RAID-0 for AudioCodes OVOC on HP ProLiant DL360p Gen10 Servers This appendix describes the required equipment and the steps for configuring the HP ProLiant server to support RAID-0 Disk Array configuration for the OVOC server installation. This procedure erases any residual data on the designated disk drives. If you have purchased the server hardware from AudioCodes then this procedure is not necessary. RAID-0 Prerequisites This procedure requires the following: ProLiant DL360p Gen10 server pre-installed in a compatible rack and connected to power. Two SATA DS 1.92 TB SSD disk drives A VGA display, USB keyboard, and USB mouse must be connected to the server back I/O panel. RAID-0 Hardware Preparation Make sure that two SATA DS 1.92 TB SSD disk drives are installed on slot 1 and 2 of the server. If required, refer to the HP Service Manual. Figure 28-1: SATA DS 1.92 TB SSD Disks Configuring RAID-0 The following procedures describe how to configure RAID- 0 using the HP Smart Storage Administrator utility: Step 1 Create Logical Drive below Step 2 Set Logical Drive as Bootable Volume on the next page Step 1 Create Logical Drive This section describes how to create a logical drive on RAID-0. - 275 - CHAPTER 28 Configuring RAID-0 for AudioCodes OVOC on HP ProLiant DL360p Gen10 Servers OVOC | IOM To create a logical drive on RAID-0: 1. Power up the server. If the server is already powered up and running, use the 'reboot' command (from system console as user root) to reboot the server. 2. While the server is powering up, monitor the server. 3. During reset, press <F9> to open the System Utilities. 4. Choose Embedded Applications > Intelligent Provisioning > Smart Storage Administrator. 5. Wait for the Smart Storage Administrator utility to finish loading. 6. In the left-hand pane, choose HPE Smart Array Controllers > HPESmart Array E208i-a SRGen10; an Actions menu is displayed. 7. Click Configure, and then click Clear Configuration to clear any previous configuration. 8. Click Clear to confirm; a summary display appears. 9. Click Finish to return to the main menu. 10. In the left-hand pane, select Unassigned Drives (2); make sure that both the drives are selected, and then click Create Array. 11. Select RAID 0 for RAID Level. 12. Select the 'Custom Size' check box, and then enter 2000GiB. 13. At the bottom of the screen, click Create Logical Drive. After the array is created, a logical drive should be created. 14. Click Finish. 15. Proceed to Section Step 2 Set Logical Drive as Bootable Volume below Step 2 Set Logical Drive as Bootable Volume This section describes how to set the new logical drive as a bootable volume. To set new logical drive as bootable volume: 1. In the left-hand pane, select HPE Smart Array E208i-a SR Gen10, and then click Set Bootable Logical Drive/Volume. 2. Select the ''Local - Logical Drive 1'' as Primary Boot Logical Drive/Volume, and then click Save. A summary window is displayed. 3. Click Finish. 4. Exit the Smart Storage Administrator utility by clicking the X sign on the top right-hand side of the screen, and then confirm. 5. Click Exit at the bottom left-hand corner of the screen. - 276 - CHAPTER 28 Configuring RAID-0 for AudioCodes OVOC on HP ProLiant DL360p Gen10 Servers OVOC | IOM 6. Click the Power icon in the upper right-hand corner of the screen. 7. Click Reboot to reboot the server. The Disk Array configuration is now complete. 8. Install the OVOC server (Installing the OVOC server on Dedicated Hardware). - 277 - CHAPTER 29 Managing Clusters OVOC | IOM 29 Managing Clusters This appendix describes how to manually migrate or move OVOC VMs to another cluster node. Migrating OVOC Virtual Machines in a VMware Cluster This section describes how to migrate your OVOC Virtual Machine from one ESXi host to another. To migrate your OVOC VM: 1. Select the OVOC VM that you wish to migrate and then choose the Migrate option: Figure 29-1: Migration 2. Change a cluster host for migration: Figure 29-2: Change Host 3. Choose the target host for migration: - 278 - CHAPTER 29 Managing Clusters Figure 29-3: Target Host for Migration OVOC | IOM The migration process commences: Figure 29-4: Migration Process Started After the migration has completed, the OVOC application will run seamlessly on the VM on the new cluster's host. Moving OVOC VMs in a Hyper-V Cluster Moving OVOC VMs in a Hyper-V Cluster - 279 - CHAPTER 29 Managing Clusters OVOC | IOM This section describes how to move a Virtual Machine to another host node in a Hyper-V cluster. To move a Virtual Machine to another node of the cluster: 1. Select the Virtual Machine, right-click and from the menu, choose Move > Live Migration > Select Node. Figure 29-5: Hyper-V Live Migration The following screen is displayed: - 280 - CHAPTER 29 Managing Clusters Figure 29-6: Move Virtual Machine OVOC | IOM 2. Select the relevant node and click OK. The migration process starts. - 281 - CHAPTER 29 Managing Clusters Figure 29-7: Hyper-V Migration Process Started OVOC | IOM After the migration has completed, the OVOC application will run seamlessly on the VM on the new cluster's node. - 282 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM 30 Supplementary Security Procedures The procedures in this appendix describe supplementary procedures for completing the setup of X.509 Custom certificates. For more information on the implementation of custom certificates, refer to the OVOC Security Guidelines document. This appendix describes the following procedures: Downloading certificates to the AudioCodes device (Installing Custom Certificates on OVOC Managed Devices below) Cleaning up Temporary files on the OVOC server ( Cleaning up Temporary Files on OVOC Server on page 294) Installing Custom Certificates on OVOC Managed Devices This section describes how to install Custom certificates on OVOC managed devices. These certificates will be used to secure the connection between the device and OVOC server. This procedure is performed using the device's embedded Web server. This section describes how to install certificates for the following devices: Enterprise gateways and SBC devices (Gateways and SBC Devices below). MP-1xx devices (MP-1xx Devices on page 289). When securing the device connection over HTTPS, the certificate loaded to the device must be signed by the same CA as the certificate loaded to the OVOC server. The Single-Sign On mechanism is used to enable automatic login to the devices embedded Web server tool from the device's status screen in the OVOC. This connection is secured over port 443. OVOC logs into the OVOC managed device using the credentials that you configure in the AudioCodes device details or Tenant Details in the OVOC Web. You can also login to the AudioCodes device using the RADIUS or LDAP credentials (for more information, refer to the OVOC User's Manual). Gateways and SBC Devices This section describes how to install custom certificates on gateways and SBC devices. The device uses TLS Context #0 to communicate with the OVOC server. Therefore, the configuration described below should be performed for TLS Context #0. Step 1: Generate a Certificate Signing Request (CSR) This step describes how to generate a Certificate Signing Request (CSR). - 283 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM To generate certificate signing request: 1. Login to the device's Web server. 2. Open the TLS Contexts page (Setup menu > IP Network tab > Security folder > TLS Contexts). 3. In the table, select the TLS Context Index #0, and then click the TLS Context Certificate button, located below the table; the Context Certificates page appears. Figure 30-1: Context Certificates 4. Under the Certificate Signing Request group, do the following: a. In the 'Subject Name [CN]' field, enter the device's DNS name, if such exists, or device's IP address. b. Fill in the rest of the request fields according to your security provider's instructions. c. Click the Create CSR button; a textual certificate signing request is displayed in the area below the button: Figure 30-2: Certificate Signing Request Group 5. Copy the text and send it to the certificate authority (CA) to sign this request. - 284 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM Step 2: Receive the New Certificates from the CA You will receive the following files from the Certificate Authority (CA): Your (device) certificate rename this file to "device.crt" Root certificate rename this file to "root.crt" Intermediate CA certificates (if such files exist) rename these files to "ca1.crt", "ca2.crt" etc. Save the signed certificate to a file (e.g., device.crt). Make sure that all certificates are in PEM format and appear as follows: -----BEGIN CERTIFICATE----- MIIBuTCCASKgAwIBAgIFAKKlMbgwDQYJKoZIhvcNAQEFBQAwFzEVMB MGA1UEAxMM RU1TIFJPT1QgQ0EyMB4XDTE1MDUwMzA4NTE0MFoXDTI1MDUwMzA4 NTE0MFowKjET ... Tl6vqn5I27Oq/24KbY9q6EK2Yc3K2EAadL2IF1jnb+yvREuewprOz6TEEuxN Jol0 L6V8lzUYOfHrEiq/6g== -----END CERTIFICATE----- The above files are required in the following steps. Make sure that you obtain these files before proceeding and save them to the desired location. Use the exact filenames as mentioned above. Step 3: Update Device with New Certificate This step describes how to update the device with the new certificate. To update device with new certificate: 1. Open the TLS Contexts page (Setup menu > IP Network tab > Security folder > TLS Contexts). 2. In the table, select TLS Context #0, and then click the Change Certificate button, located below the table; the Context Certificates page appears. - 285 - CHAPTER 30 Supplementary Security Procedures Figure 30-3: TLS Contexts Table OVOC | IOM 3. Under the Upload certificates files from your computer group, click the Browse button corresponding to the 'Send Device Certificate...' field and then navigate to the device.crt file, and click Send File. Figure 30-4: Upload Certificate Files from your Computer Group Step 4: Update Device's Trusted Certificate Store This step describes how to update the device's Trusted Certificate Store. To update device's trusted certificate store: 1. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts). 2. In the table, select the TLS Context #0, and then click the Trusted Root Certificates button, located below the table; the Trusted Certificates page appears. - 286 - CHAPTER 30 Supplementary Security Procedures Figure 30-5: Trusted Root Certificates OVOC | IOM 3. Click the Import button, and then browse to the root.crt file. Click OK to import the root certificate. Figure 30-6: Importing Certificate into Trusted Certificates Store 4. If you received intermediary CA certificates ca1.crt, ca2.crt, etc. import them in a similar way. Step 5: Configure HTTPS Parameters on the Device This section describes how to configure HTTPS related parameters on the device. You can optionally pre-stage the device with a pre-loaded ini file including this configuration (for more information, contact your AudioCodes representative). If you have enabled the Interoperability Automatic Provisioning feature, ensure that your template file is also configured as described in this procedure to maintain an active HTTPS connection after the template file has been loaded to the device. When you setup an HTTPS connection on the device, you must also enable HTTPS ("Enable HTTPS Connection") when adding the device to the OVOC (refer to the OVOC User's manual). To configure HTTPS parameters on the device: 1. Create a new text file using a text-based editor (e.g., Notepad). - 287 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM 2. Include the following ini file parameters for server-side authentication: For Media Gateway and SBC devices: AUPDVerifyCertificates=1 For MP-1xx devices, the ini file should include the following two lines:: AUPDVerifyCertificates=1 ServerRespondTimeout=10000 When working with SEM TLS ( OVOC Voice Quality Package - SBC Communication on page 239), add the following parameter. QOEENABLETLS=1 3. Save and close the file. 4. Load the generated file as "Incremental INI file" (Maintenance menu > Software Update > Load Auxiliary Files > INI file (incremental). 5. Open the TLS Contexts page (Setup menu > IP Network tab > Security folder > TLS Contexts). 6. In the table, select the TLS Context #0, and then click Edit . The following screen is displayed: Figure 30-7: TLS Contexts: Edit Record 7. Set the required 'TLS Version' (default TLS Version 1.0). 8. Set 'HTTPS Cipher Server' to ALL. 9. Set 'HTTPS Cipher Client' to ALL. Step 6: Reset Device to Apply the New Configuration This step describes how to reset the device to apply the new configuration. To save the changes and reset the device: 1. Reset the device with a save-to-flash for your settings to take effect (Setup menu > Administration tab > Maintenance folder > Maintenance Actions). - 288 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM MP-1xx Devices This section describes how to install Custom certificates on the MP 1xx devices. For installing certificates on MP2xx devices, refer to Section "Securing Remote Management with Certificates" in the MP-20x Telephone Adapter User's Manual. Step 1: Generate a Certificate Signing Request (CSR) This step describes how to generate a Certificate Signing Request (CSR). To generate a CSR: 1. Your network administrator should allocate a unique DNS name for the device (e.g., dns_ name.corp.customer.com). This DNS name is used to access the device and therefore, must be listed in the server certificate. 2. If the device is operating in HTTPS mode, then set the 'Secured Web Connection (HTTPS)' parameter (HTTPSOnly) to HTTP and HTTPS (refer to the MP-11x and MP-124 User's Manual). This ensures that you have a method for accessing the device in case the new certificate does not work. Restore the previous setting after testing the configuration. 3. Login to the MP-1xx Web server. 4. Open the Certificates page (Configuration tab > System menu > Certificates). 5. Under the Certificate Signing Request group, do the following: a. In the 'Subject Name [CN]' field, enter the DNS name. b. Fill in the rest of the request fields according to your security provider's instructions. c. Click the Create CSR button; a textual certificate signing request is displayed in the area below the button: - 289 - CHAPTER 30 Supplementary Security Procedures Figure 30-8: Certificate Signing Request Group OVOC | IOM 6. Copy the text and send it to the certificate authority (CA) to sign this request. Step 2: Receive the New Certificates from the CA You will receive the following files from the Certificate Authority (CA): Your (device) certificate rename this file to "device.crt" Root certificate rename this file to "root.crt" Intermediate CA certificates (if such files exist) rename these files to "ca1.crt", "ca2.crt" etc. Save the signed certificate to a file (e.g., device.crt). Make sure that all certificates are in PEM format and appear as follows: -----BEGIN CERTIFICATE----- MIIDkzCCAnugAwIBAgIEAgAAADANBgkqhkiG9w0BAQQFADA/MQswCQYDV QQGEwJGUjETMBEGA1UEChMKQ2VydGlwb3N0ZTEbMBkGA1UEAxMSQ2Vy dGlwb3N0ZSBTZXJ2ZXVyMB4XDTk4MDYyNDA4MDAwMFoXDTE4MDYyND A4MDAwMFowPzELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNlcnRpcG9zdG UxGzAZBgNVBAMTEkNlcnRpcG9zdGUgU2VydmV1cjCCASEwDQYJKoZIhvcN AQEBBQADggEOADCCAQkCggEAPqd4MziR4spWldGRx8bQrhZkonWnNm`+ Yhb7+4Q67ecf1janH7GcN/SXsfx7jJpreWULf7v7Cvpr4R7qIJcmdHIntmf7JPM5n6 - 290 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM cDBv17uSW63er7NkVnMFHwK1QaGFLMybFkzaeGrvFm4k3lRefiXDmuOe+FhJ gHYezYHf44LvPRPwhSrzi9+Aq3o8pWDguJuZDIUP1F1jMa+LPwvREXfFcUW+ w== -----END CERTIFICATE----- The above files are required in the following steps. Make sure that you obtain these files before proceeding. Use the exact filenames as mentioned above. Step 3: Update Device with New Certificate This step describes how to update the device with the new certificate. To update the device with the new certificate: 1. In the Certificates page, scroll down to the Upload certificates files from your computer group, click the Browse button corresponding to the 'Send Device Certificate...' field, navigate to the device.crt file, and then click Send File. 2. After the certificate successfully loads to the device, save the configuration with a device reset ( Step 6: Reset Device to Apply the New Configuration on page 294 below). Step 4: Update Device's Trusted Certificate Store For the device to trust a whole chain of certificates you need to combine the contents of the root.crt and ca.crt certificates into a single text file (using a text editor). To update the device with the new certificate: 1. Open the root.crt file (using a text-based editor, e.g., Notepad). 2. Open the ca.crt file (using a text-based editor, e.g., Notepad). 3. Copy the content of the ca.crt file and paste it into the root.crt file above the existing content. Below is an example of two certificate files combined (the file "ca2.crt" and the "root.crt") where the ca2.crt file contents are pasted above the root.crt file contents: -----BEGIN CERTIFICATE----- MIIDNjCCAh6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADAhMQwwCgYDVQQK EwNBQ0wx ETAPBgNVBAMUCEVNU19ST09UMB4XDTEwMDEwMTAwMDAwMFoXDTIw MDEwMTAwMDAw - 291 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM MFowIDEMMAoGA1UEChMDQUNMMRAwDgYDVQQDFAdFTVNfQ0EyMIIBIj ANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4CmsdZNpWo6Gg5UgxflPjJeNggwnlQ iUYhOK kPEvS6yWH7tr8+TwnIzjT58kuuy+fFVLDyZzp117J53FIsgnCSxpVqcYfMoBbCL/ 0fmXKHWlPIIbovWpZddgz8U1pEzD+5eGMUwCnqw99rbUseAHdwkxsXtOquwq E4yk ihiWesMp54LwX5dUB46GWKUfT/pdQYqAuunM76ttLpUBc6yFYeqpLqj9OgKkR 4cu 5B6wYNPoTjJX5OXgd9Yf+0IQYB2EiP06uzLtlyWL3AENGwDVeOvlfZgppLEZP BKI hfULeMjay4fzE4XnS9LDxZGjJ+nV9ojA7WaRB5tl6nEJQ/7sLQIDAQABo3oweDA M BgNVHRMEBTADAQH/MB0GA1UdDgQWBBRy2JQ1yZrvN4GifsXUB7AvctWvr TBJBgNV HSMEQjBAgBThf6GbMQbO5b0CkLV8kW+Rg0AAhqElpCMwITEMMAoGA1UE ChMDQUNM MREwDwYDVQQDFAhFTVNfUk9PVIIBATANBgkqhkiG9w0BAQUFAAOCAQE AdAsYyfcg TdkF/uDxlOGk0ygXrRAXHG2WFOS6afrcJHoZCCH3PNsvftRrEAwroGwx7tsn1/ o+ CNV5YalstIz7BDIEIjTzCDrpO9sUsiHqxGuOnNhjLDUoLre1GDC0OyiKb4BOhlCq hiemkXRe+eN7xcg0IfUo78VLTPuFMUhz0Bdn7TuE7QbiSayq2fY2ktHHOyDEKJ GO RUosIqgVwSZIsCnRZFumkKJtrT4PtnNYluYJHej/SHcsOWtgtCQ8cPdNJCZAW Z+V XoAhN6pH17PMXLPclm9L/MlkVkmf0tp1bPmefrEBlO+np/O8F+P551uH0iOYA6 Cc Cj6oHGLq8RIndA== -----END CERTIFICATE---------BEGIN CERTIFICATE----- - 292 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM MIIDNzCCAh+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAhMQwwCgYDVQQK EwNBQ0wx ETAPBgNVBAMUCEVNU19ST09UMB4XDTEwMDEwMTAwMDAwMFoXDTIw MDEwMTAwMDAw MFowITEMMAoGA1UEChMDQUNMMREwDwYDVQQDFAhFTVNfUk9PVDCC ASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBANCsaGivTMMcSv57+j5Hya3t6A6FS FhnUQrS 667hVpbQ1Eaj02jaMh8hNv9x8SFDT52hvgVXNmLBmpZwy+To1VR4kqbAEoIs+ 7/q ebESJyW8pTLTszGQns2E214+U18sKHItpUZvs1dVUIX6xQiSYFDG1CDIPR5/7 0pq zwtdbIipSsKgYijos0yRV3roVqNi4e+hmLVZA9rOIp6LR72Ta9HMJFJ4gyxJPUQA jV3Led2Y4JObvBTNlka18WI7KORJigMMp7T8ewRkBQlJM7nmeGDPUf1wRjDW gl4G BRw2MACYsu/M9z/H821UOICtsZ4oKUJMqbwjQ9lXI/HQkKRSTf8CAwEAAaN6 MHgw DAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU4X+hmzEGzuW9ApC1fJFvkYN AAIYwSQYD VR0jBEIwQIAU4X+hmzEGzuW9ApC1fJFvkYNAAIahJaQjMCExDDAKBgNVBA oTA0FD TDERMA8GA1UEAxQIRU1TX1JPT1SCAQEwDQYJKoZIhvcNAQEFBQADggE BAHqkg4F6 wYiHMAjjH3bqxUPHt2rrrALaXA9eYWFCz1q4QVpQNYAwdBdEAKENznZttoP3 aPZE 3EOx1C8Mw2wU4pOxD7B6pH0XO+oJ4LrxLB3SAJd5hW495X1RDF99BBA9e GUZ2nXJ 9pin4PWbnfc8eppq8Tpl8jJMW0Zl3prfPt012q93iEalkDEZX+wxkHGZEqS4ayBn 8bU3NHt5qh0Egpai8hB/nth1xnA1m841wxCbJW86AMRs2NznROyG695InAYaN lIo - 293 - CHAPTER 30 Supplementary Security Procedures OVOC | IOM HU9zBRdRRASV5vmBN/q5JnDhshZhL1Bm+M6QxOyGoNjL1DqE+aWZkmsw2 k9STOpN itSUgGYwEagnsMU= -----END CERTIFICATE----- The maximum supported size of the combined file of trusted chain of certificates is 100,000 bytes (including the certificate's headers). 4. Save the combined content to a file named "chain.pem" and close the file. 5. Open the Certificates page and upload chain.pem file using the 'Trusted Root Certificate Store' field. Step 5: Configure HTTPS Parameters on Device Configure HTTPS Parameters on the device (Step 5: Configure HTTPS Parameters on the Device on page 287 above). Step 6: Reset Device to Apply the New Configuration This section describes how to apply the new configuration. To save the changes and reset the device: 1. Reset the device with a save-to-flash for your settings to take effect (Setup menu > Administration tab > Maintenance folder > Maintenance Actions). Cleaning up Temporary Files on OVOC Server It is highly recommended to cleanup temporary files on the OVOC server after certificates have been successfully installed. This is necessary to prevent access to security-sensitive material (certificates and private keys) by malicious users. To delete temporary certificate files: 1. Login to the OVOC server as user root. 2. Remove the temporary directories: rm -rf /home/acems/server_certs rm -rf /home/acems/client_certs - 294 - CHAPTER 31 Transferring Files OVOC | IOM 31 Transferring Files This appendix describes how to transfer files to and from the OVOC server using any SFTP/SCP file transfer application. FTP by default is disabled on the OVOC server. To transfer files to and from the OVOC server: 1. Open your SFTP/SCP application, such as WinSCP or FileZilla. 2. Login with the acems/acems credential (all files transferred to the OVOC server host machine are then by default saved to /home/acems directory). 3. Copy the relevant file(s) from your PC to the host machine (or vice-versa). For example, using the FileZilla program, you drag the relevant file from the left pane i.e. in your PC directory to the right pane i.e. the /home/acems directory on the OVOC server host machine. - 295 - CHAPTER 32 Verifying and Converting Certificates OVOC | IOM 32 Verifying and Converting Certificates This appendix describes how to verify that certificates are in PEM format and describes how to convert them from DER to PEM if necessary. To verify and convert certificates: 1. Login to the OVOC server as user root. 2. Transfer the generated certificate to the OVOC server. 3. Execute the following command on the same directory that you transfer the certificate to verify that the certificate file is in PEM format: Openssl x509 -in certfilename.crt -text -noout 4. Do one of the following: a. If the certificate is displayed in text format, then this implies that the file is in PEM format, and therefore you can skip the steps below. b. If you receive an error similar to the one displayed below, this implies that you are trying to view a DER encoded certificate and therefore need to convert it to the PEM format. unable to load certificate 12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_ lib.c:647:Expecting: TRUSTED CERTIFICATE 5. Convert the DER certificate to PEM format: openssl x509 -inform der -in certfilename.crt -out certfilename.crt - 296 - CHAPTER 33 Self-Signed Certificates OVOC | IOM 33 Self-Signed Certificates When using self-signed certificates, use the following instructions for recognizing the secure connection with the OVOC server from your OVOC client browsers. Mozilla Firefox When you are prompted with a message that the web page that you are trying to open using Mozilla Firefox is insecure, do the following: 1. Click the "I Understand the Risks" option. 2. Click the Add Exception button, and then click the Confirm Security Exception button. Figure 33-1: Mozilla Firefox Settings Google Chrome When you are prompted with a message that the web page that you are trying to open using Google Chrome is insecure, do the following: 1. Click Advanced and then click the "Proceed to <Server IP> (unsafe)" link. - 297 - CHAPTER 33 Self-Signed Certificates Figure 33-2: Chrome Browser Settings OVOC | IOM Microsoft Edge When you are prompted with a message that the web page that you are trying to open using Microsoft Edge is insecure, do the following: Click Details and then click the link Go on to the webpage. Figure 33-3: Microsoft Edge Browser Figure 33-4: Go on to the Web Page - 298 - CHAPTER 34 Datacenter Disaster Recovery OVOC | IOM 34 Datacenter Disaster Recovery Introduction This appendix describes the OVOC Disaster Recovery procedure for deployments where OVOC is deployed in two separately geographically located datacenters with two different network spaces, in which minimal impact on the SBC/Gateway and OVOC downtime is desired. Examples shown in this Appendix are for the VMware platform; however, these procedures are also relevant for Hyper-V platform. Solution Description The Disaster Recovery solution is composed of two virtual machines in accordance with the OVOC system requirements (see Hardware and Software Requirements ). Virtual Low and Virtual High setups are supported. It is recommended that each OVOC machine will have a VMware High Availability (HA) setup to support local Data Center (DC) HA. Both machines should have identical hardware configuration and installed with the exactly same OVOC software version. One of the machines will work as `Active' and will be constantly up and running. The second machine is defined as `Redundant'. It should not be turned off and the application should be stopped and always remain off. The primary machine backup files should be saved and periodically transferred to the external storage of the standby location. If the primary machine fails, the user should run the Disaster Recovery procedure as shown below. Figure 34-1: Disaster Recovery Between Two DataCenters with VMware HA - 299 - CHAPTER 34 Datacenter Disaster Recovery OVOC | IOM Initial Requirements The following initial requirements need to be adhered to before implementing the Disaster Recovery procedure: Both machines should have identical hardware (CPU, Memory, Disk, IO). An identical Linux OS (the same DVD), database, and the OVOC software version should be used. Identical database passwords need to be configured on both servers. Identical OVOC Server Manager settings must be configured on both servers (e.g., HTTP/HTTPS communication, etc.). If non-default certificates are used, they must be pre-installed on both servers. Both machines should have a valid license per each Machine ID with identical capabilities. When upgrading the OVOC server software, both machines should be upgraded. Make sure that redundant machine is not rebooted after the upgrade process and the OVOC application remains closed. When upgrading OVOC, the backup that was created before the upgrade cannot be used anymore. You should only use the backups created after the upgrade process. For more information on backing up the OVOC server, see OVOC server Backup. Make sure that active server backups are not stored on the server machine. New Customer Configuration The procedure below describes the steps for a New Customer configuration. To perform a New Customer configuration: 1. Install and properly configure both servers. 2. Make sure the primary OVOC server is up and running. 3. For each device added and managed by the OVOC server, the following features should be provisioned with both primary and secondary servers' IP addresses: Trap Destination Server Session Experience Manager NTP Server Address Data Synchronization Process To save recovery time, it is advised that at the end of the daily / weekly backup, transfer the latest backup files from the primary to the secondary server machine. The data transfer may be performed automatically using a customer- defined script. - 300 - CHAPTER 34 Datacenter Disaster Recovery OVOC | IOM The data transfer is the responsibility of the Enterprise's IT implementation team. Recovery Process The procedure below describes the recovery process. To run the recovery process: 1. If the primary machine fails, use the Server Manager to make sure the OVOC application has been closed, before starting the secondary machine recovery process. 2. Do not run the OVOC software on the secondary machine at this stage. Just make sure the machine is up and running. 3. Verify that server software version is the same as on the Primary server, by checking the OVOC server Manager title. 4. Start the secondary server machine, making sure that all the processes are up and running. 5. Make sure that all backup files are in the /data/NBIF directory. 6. In OVOC Server Manager, go to the Application Maintenance menu and select the Restore option (OVOC Server Restore on page 158). 7. Follow the instructions during the process; you might need to press Enter a few times. 8. After the restore operation has completed, you are prompted to reboot the OVOC server. 9. If you have installed custom certificates prior to the restore, you must re-install them. 10. Login to the OVOC Web client and verify that there is connectivity and the application is functioning correctly. 11. If you are using one or more features which are marked in the table below as `Not Supported', please provision all the managed devices with a new Management Server IP address. 12. For SBC Fixed and Floating License Pool customers, run the Update command for all the managed devices . See the table below summarizing the features affected byDisaster Recovery functionality. Table 34-1: Features Affected by Disaster Recovery Functionality Feature Status Management Alarms+ NAT communication based on Keepalive traps Supported Fixed License Pool and Floating License Not Supported - 301 - CHAPTER 34 Datacenter Disaster Recovery Feature IP Phones Manager Pro: Alarms / Status reports Advanced Quality Package SBC/Gateway Voice Quality Monitoring Endpoint Quality monitoring (RFC 6035) Server Server: Device NTP Server Server: Device Syslog Server Server: Device TP Debug recording server OVOC | IOM Status Not Supported Supported Not Supported Supported Not Supported Not Supported - 302 - International Headquarters 1 Hayarden Street, Airport City Lod 7019900, Israel Tel: +972-3-976-4000 Fax: +972-3-976-4040 AudioCodes Inc. 200 Cottontail Lane Suite A101E Somerset NJ 08873 Tel: +1-732-469-0880 Fax: +1-732-469-2298 Contact us: https://www.audiocodes.com/corporate/offices-worldwide Website: https://www.audiocodes.com/ Documentation Feedback: https://online.audiocodes.com/documentationfeedback ©2021 AudioCodes Ltd. All rights reserved. AudioCodes, AC, HD VoIP, HD VoIP Sounds Better, IPmedia, Mediant, MediaPack, What's Inside Matters, OSN, SmartTAP, User Management Pack, VMAS, VoIPerfect, VoIPerfectHD, Your Gateway To VoIP, 3GX, VocaNom, AudioCodes One Voice, AudioCodes Meeting Insights, AudioCodes Room Experience and CloudBond are trademarks or registered trademarks of AudioCodes Limited. All other products or trademarks are property of their respective owners. Product specifications are subject to change without notice. Document #: LTRT-94180madbuild