Plan for Media Gateways
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
The number, size, and location of media gateways is perhaps the most important and potentially costly decision you must make when planning your Enterprise Voice infrastructure. The main questions to answer:
What type of gateway should you deploy?
How many media gateways are needed? The answer depends at least in part on the size of the gateways and where they are to be deployed.
What size should the gateways be? The answer depends in part on how many you plan to deploy and where you plan to put them.
Where should the gateways be located? The answer depends in part on the topology and geographic distribution of your organization.
In other words, no one of the previous questions can be answered independently of the other three. Answers to all four depend ultimately on how much telephone traffic you anticipate and how that traffic is distributed across your organization. But that is only the beginning, the base data, so to speak. You must also consider your gateway topology options.
Choosing the Type of Gateway to Deploy
Communications Server 2007 supports three types of media gateways: Advanced, Basic, and Basic Hybrid. You can find a current list of qualified gateways that work with Communications Server at https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=IPpbxVend. The advantages and disadvantages of these three gateway types are summarized in the following table.
Table 83 Basic and Collocated Gateways Compared
| Gateway Type | Advantages | Disadvantages |
|---|---|---|
Basic Media Gateway |
Existing hardware can perhaps be used for Mediation Server. |
Mediation Server entails additional overhead for installation, configuration, and management. |
Basic Hybrid Media Gateway |
Does not require separate Mediation Server. Installation, configuration, and management are simpler than for combination of Basic Media Gateway and Mediation Server. |
|
Advanced Media Gateway |
Does not require separate Mediation server. Installation, configuration, and management, are simpler than that of other gateway types |
|
Gateway Topologies
When attempting to answer the four fundamental questions of gateway deployment listed earlier in Plan for Media Gateways, the obvious approach is to:
Count the sites at which your organization has offices.
Estimate the traffic at each site.
Deploy one or more gateways at each site to handle the anticipated traffic.
The resulting distributed gateway topology is shown in the following figure.
Figure 32 Distributed gateway topology
.gif "67c53c38-4618-486a-ab6c-23b32747cb75")
With this topology, calls among workers at each site and between the sites are all routed over the company intranet. Calls to the PSTN are routed over the enterprise IP network to the gateways that are closest to the location of the destination numbers.
But what if your organization supports dozens or hundreds or even thousands of sites spread across one or more continents, as many financial institutions and other large enterprises do? In such cases deploying a separate gateway at each site is impractical.
To address this problem, many large companies prefer to deploy one or a few large telephony data centers, as shown in the following figure.
Figure 33 Datacenter Gateway Topology
.gif "84d63d10-5293-49f0-8c23-c3a68ff96230")
In this topology, several large gateways sufficient to accommodate the anticipated user load are deployed at each data center. All calls to users in the enterprise are forwarded by the company's telephone service provider to a data center. Routing logic at the data center determines whether the call should be routed over the intranet or to the PSTN.
Placing a gateway at every site on the one hand or at a single data center on the other represent the extremes of a deployment continuum along which seemingly infinite combinations are possible. You can deploy single gateways at several sites and several gateways at a data center in nearly any possible combination. The best solution in each case depends on a variety of factors that are specific to each organization.
Gateway Location
Gateway location may also determine the types of gateways you choose and how they are configured. There are dozens of PSTN protocols, and these vary from country to country. If all your gateways are located in a single country, this is not an issue, but if you locate gateways in several countries, each must be configured according to the PSTN standards of that country. Moreover, gateways that are certified for operation in, say, Canada, may not be certified in India, Brazil, or the European Union.
Gateway Size and Number
The media gateways that most organizations will consider deploying range in size from 2 to as many as 960 ports. (There are even larger gateways, but these are used mainly by telephone service providers.) When estimating the number of ports your organization requires, use the following guidelines:
Light telephony users (1 PSTN call per hour) should allocate 1 port for every 15 users. For example, if you have 20 users, you will require a gateway with 2 ports.
Moderate telephony users (2 PSTN calls per hour) should allocate 1 port for every 10 users. For example, if you have 100 users, you will require a total of 10 ports allocated among one or more gateways.
Heavy telephony users (3 or more PSTN calls per hour) should allocation 1 port for every 5 users. For example, if you have 47,000 users, you will require a total of 9,400 ports allocated among at least 10 large gateways.
Additional ports can be acquired as the number of users or amount of traffic in your organization increases.
For any given number of users you must support, you have the choice of deploying fewer, larger gateways, or smaller ones. As a rule, a minimum of two gateways for an organization is recommended in the event one goes down. Beyond that, the number and size of gateways that an organization deploys are going to vary widely, based on a careful analysis of each organizations volume of telephone traffic.
Each basic media gateway that you deploy must have at least one corresponding Mediation Server. It is possible, though not recommended, to point a single gateway to multiple Mediation Servers, but you cannot point a single Mediation Server to more than one media gateway.
For specific hardware requirements, review the Hardware Requirements and Scaling Numbers for Mediation Server section, in Server Platform Requirements, earlier in this document.
Note
A basic hybrid media gateway is configured to work only with the collocated Mediation Server and therefore should not be pointed to other Mediation Servers.
Gateway Configuration
The settings that you must configure on your Basic Media Gateway are specified in the following list, but for information about how to configure these settings on a given gateway, refer to the manufacturer’s product documentation. Each gateway must be configured according to the vendor’s documentation. Depending on the vendor, there are potentially many attributes that must be set, but the attributes specific to Enterprise Voice are as follows:
The FQDN and IP Address of the Mediation Server that is associated with the gateway.
The listening port (5060) that is used for TCP connections to the Mediation Server
Important
The previous settings must match those of corresponding settings for the Mediation Server. If the settings do not match, the connection between the gateway and Mediation Server will fail.
- SIP Transport – specify either TLS (recommended) or TCP.
Important
If you specify TLS as the SIP transport to be used by your basic or basic-hybrid media gateway, you must also configure the corresponding Mediation Server for TLS
If the SIP transport for the link between the gateway and the Mediation Server is set to TLS, the gateway must be configured with a certificate for purposes of authentication during the MTLS handshake with the Mediation Server. The certificate on the gateway must be configured as follows:
The certificate may be directly signed by the trusted CA configured in the Mediation Server. Alternatively, a certificate chain may have to be traversed to verify the certificate provided by the gateway. The gateway must provide this chain as part of its TLS handshake with the Mediation Server.
The CN part of the subject field should be set to the FQDN of the gateway. If the FQDN in the CN part of the subject field does not match the expected and configured FQDN for the gateway, the certificate must also contain a SAN (subject alternate name) that lists the expected and configured FQDN for the gateway.
The Mediation Server validates the certificate provided by the gateway by checking that the FQDN on the certificate exactly matches the gateway FQDN configured on the Mediation Server. If the FQDNs do not match, the session is terminated. Additional validation includes checking the signature and expiration date, and making sure that the certificate has not been revoked.
If the SIP transport for the link between the gateway and the Mediation Server is set to TLS, separate ports must be opened for the TLS connection to the gateway and the TLS connection to the Office Communications Server pool. The port assignments should be configured as follows:
TLS link between media gateway and Mediation Server: 5060
TLS link between Mediation Server and Office Communications Server pool:5061
Each gateway must be configured so that the E.164 numbers routed by Enterprise Voice to the gateway are normalized to a locally dialable format.
Each gateway must also be configured to pass only E.164 numbers to the Mediation Server. Please see each gateway vendor’s documentation for specific instructions on how to normalize source phone numbers to E.164.
Each gateway should be configured to convert the source number (the number presented as caller id) to a normalized E.164 number. This ensures the caller ID can be matched to a Communicator contact, an Outlook contact, or a member of the corporate directory, thereby enabling Communicator to provide additional information about the caller. This number will also appear in e-mails notifying the user of missed calls and voice mail, allowing the user to click the phone number in order to quickly return a call. If the number has been normalized by the gateway, no further processing is required. If for some reason the number cannot be normalized by the gateway, then the normalization rules defined by the location profile will be applied when returning a call. It might be necessary to add normalization rules to a location profile to handle numbers that cannot be normalized by the gateway. Please see each gateway vendor’s documentation for specific instructions on how to normalize source phone numbers to E.164.
For a list of media gateway vendors, see https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=IPpbxVend
Configure Dual Interface Cards for Mediation Server
To help ensure the physical as well as logical separation of your Enterprise Voice infrastructure from the media gateways, you should install Mediation Server on a computer that is equipped with two network interface cards (NICs). One card faces the gateway; the second card faces the Communications Server 2007 server that acts as the Mediation Servers internal next hop.
When you install Mediation Server, the Deployment Wizard detects the presence of the two network cards and writes their IP addresses to the Communications Server listening IPaddress list and the Gateway listening IP address list, both on the General tab of the Mediation Server properties dialog box.
The Communications Server listening IP address is the address on an advanced media gateway that listens for call traffic from Communications Server. Until advanced media gateways are available, this address corresponds to the network card that serves as the internal edge of the Mediation Server.
Important
The IP address that you select from the Communications Server listening IP address must match the address that is returned by a DNS query on the Mediation Servers FQDN. If the two addresses do not match, the IP address listed in DNS for your FQDN you will not be able to connect, and call traffic will be directed to an interface that is not listening for Office Communications Server traffic rather than to the one that is listening.
The Gateway listening IP address is the address on the Mediation Server that lists traffic from a basic media gateway or Basic Hybrid Media Gateway. For Communications Server 2007, this address corresponds to the network card that serves as the external edge of the Mediation Server.
Note
It is possible to configure both edges on a single adapter card, but this alternative is not recommended.
Media Bandwidth
For basic media gateways, the bandwidth requirement between gateway and Mediation Server is 64 Kbps for each concurrent call. Multiplying this number by the number of ports for each gateway is a fair estimate of the required bandwidth on the gateway side of the Mediation Server. On the Communications Server side, the bandwidth requirement is considerably lower.
When configuring Mediation Server, you are advised to accept the default media port gateway range of 60,000 to 64,000. Reducing the port range greatly reduces server capacity and should be undertaken only for specific reasons by an administrator who is knowledgeable about media port requirements and scenarios. For this reasons, altering the default port range is not recommended.
High-bandwidth traffic such as voice and video tends to stress poorly provisioned networks. Limiting media traffic to a known range of ports makes troubleshooting such problems easier.
Plan for Media Gateway Security
Because a media gateway receives calls from the PSTN, it presents a potential security vulnerability. The recommended mitigation is to:
Enable TLS on the link between the gateway and the Mediation Server. This will assure that signaling is encrypted end to end between the gateway and your internal users.
Physically isolate the media gateway from the internal network by deploying the Mediation Server on a computer with two network interface cards: one accepting traffic only from the internal network; the second accepting traffic from a media gateway. Each card is configured with a separate listening address so that there is always clear separation between trusted traffic originating in the Communications Server network and untrusted traffic from the PSTN.
The internal edge of a Mediation Server should be configured to correspond to a unique static route that is described by an IP address and a port number. The default port is 5061.
The external edge of a Mediation Server should be configured as the internal next-hop proxy for the media gateway. It should be identified by a unique combination of IP address and port number. The IP address should not be the same as that of the internal edge, but the default port is 5060.
Encryption
Media flowing both directions between the Mediation Server and Communications Server network is encrypted using SRTP.
Organizations that rely on IPSec for packet security are strongly advised to create an exception on a small media port range if they are to deploy Enterprise Voice. The security negotiations required by IPSec work fine for normal UDP or TCP connections, but they can slow down call setup to unacceptable levels.