ale application partner program inter-working report...edition 4: minor changes in nginx config file...

ALE Application Partner Program – Inter-working report - Edition 8 - page 1/45

Copyright © 2018 ALE , All rights reserved

ALE Application Partner Program Inter-Working Report

Partner: NGINX

Application type: Reverse Proxy

Application name: NGINX Plus R14

Alcatel-Lucent Platform: OpenTouch™

The product and release listed have been tested with the Alcatel-Lucent Enterprise Communication Platform and the release specified hereinafter. The tests concern only the inter-working between the AAPP member’s product and the Alcatel-Lucent Enterprise Communication Platform. The inter-working report is valid until the AAPP member’s product issues a new major release of such product (incorporating new features or functionality), or until ALE International issues a new major release of such Alcatel-Lucent Enterprise product (incorporating new features or functionalities), whichever first occurs. ALE INTERNATIONAL MAKES NO REPRESENTATIONS, WARRANTIES OR CONDITIONS WITH RESPECT TO THE APPLICATION PARTNER PRODUCT. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, ALE INTERNATIONAL HEREBY EXPRESSLY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY NATURE WHATSOEVER AS TO THE AAPP MEMBER’S PRODUCT INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE AND ALE INTERNATIONAL FURTHER SHALL HAVE NO LIABILITY TO AAPP MEMBER OR ANY OTHER PARTY ARISING FROM OR RELATED IN ANY MANNER TO THIS CERTIFICATE.



Certification overview

Date of certification January 2018

ALE International representative Claire Dechristé

AAPP member representative Paul Oh

Alcatel-Lucent Enterprise Communication Platform

OpenTouch BE/MS

Alcatel-Lucent Enterprise Communication Platform Release

OT 2.3.1 (14.0.009.003)

AAPP member application version NGINX plus R14 (1.13.7)

Application Category Gateway Collaboration & UC Security

Author(s): Claire Dechristé Reviewer(s): Himmi Rachid, Frank Gadot

Revision History

Edition 1: creation of the document – February 2015

Edition 2: LDAP authentication added – April 2015 Edition 3: Remove sslv3 protocol for poodle vulnerability – December 2015

Edition 4: Minor changes in NGINX config file – February 2016 Edition 5: New edition for OT 2.2.1 and OTES replacement -November 2016.

Edition 6: Nginx configuration file Update -December 2016.

Edition 7: remove the configuration file and add a reference to associated Technical Communication Edition 8: Update for Nginx plus R14 and OT 2.3.1

Test results

Refer to the section 0 for a summary of the test results.

IWR validity extension

None

Passed Refused Postponed

Passed with restrictions



AAPP Member Contact Information

Contact name: Paul Oh Title: Business Development Address: 85 Federal Street Zip Code: 94107 State: CA City: San Fransisco Country: USA Phone:

Fax: Mobile Phone:

Web site: http://nginx.com Email address: [email protected]



TABLE OF CONTENTS 1 INTRODUCTION ........................................................................................................................................ 6

1.1 GLOSSARY .................................................................................................................................................. 7

2 VALIDITY OF THE INTERWORKING REPORT ................................................................................. 8

3 LIMITS OF THE TECHNICAL SUPPORT .............................................................................................. 9

3.1 CASE OF ADDITIONAL THIRD PARTY APPLICATIONS ...................................................................................... 9

4 SUMMARY OF TEST RESULTS ............................................................................................................. 10

4.1 SUMMARY OF THE MAIN FEATURES TESTED................................................................................................. 10 4.2 SUMMARY OF PROBLEMS ........................................................................................................................... 11 4.3 SUMMARY OF LIMITATIONS ........................................................................................................................ 11 4.4 NOTES, REMARKS ..................................................................................................................................... 11

5 APPLICATION INFORMATION ........................................................................................................... 12

6 TEST ENVIRONMENT ............................................................................................................................. 14

6.1 TESTS PERFORMED ................................................................................................................................... 14 6.2 GENERAL ARCHITECTURE .......................................................................................................................... 15

6.2.1 OTES replacement ........................................................................................................................... 15 6.2.2 Virtual interfaces on RP and SBC .................................................................................................... 16 6.2.3 Remote worker authentication: ........................................................................................................ 17

6.3 HARDWARE CONFIGURATION ..................................................................................................................... 18 6.4 SOFTWARE CONFIGURATION ...................................................................................................................... 18

6.4.1 ALE OpenTouch server ................................................................................................................ 18 6.4.2 Partner Application ....................................................................................................................... 18

7 TEST RESULT TEMPLATE ...................................................................................................................... 19

8 TEST RESULTS ......................................................................................................................................... 20

8.1 CLIENT INITIALIZATION AND AUTHENTICATION .......................................................................................... 20 8.2 OUTGOING CALLS ..................................................................................................................................... 21 8.3 INCOMING CALLS ...................................................................................................................................... 22 8.4 FEATURES DURING CONVERSATION ............................................................................................................ 23 8.5 WEB SERVICES ......................................................................................................................................... 25 8.6 COLLABORATION SERVICES ON OTC CLIENTS ............................................................................................ 26 8.7 CONFERENCE AND COLLABORATION SERVICES (OTC WEB) ........................................................................ 26

9 APPENDIX A : AAPP MEMBER’S APPLICATION DESCRIPTION .............................................. 28

10 APPENDIX B: CONFIGURATION REQUIREMENTS OF THE AAPP MEMBER’S

APPLICATION .............................................................................................................................................. 29

10.1 NGINX CERTIFICATE FOR SSL ................................................................................................................. 29 10.2 LDAP AUTHENTICATION MODULE ............................................................................................................ 29 10.3 CONFIGURATION FILES ........................................................................................................................... 30 10.4 FIREWALL CONFIGURATION ..................................................................................................................... 31 10.5 NGINX PLUS SIZING GUIDE FOR OPENTOUCH........................................................................................... 31

11 APPENDIX C : DNS ENTRIES ............................................................................................................... 32

12 APPENDIX D: ALCATEL-LUCENT ENTERPRISE COMMUNICATION PLATFORM:

CONFIGURATION REQUIREMENTS ..................................................................................................... 33

12.1 REVERSE PROXY CONFIGURATION ON OT ................................................................................................ 33 12.2 SBC CONFIGURATION ON OT ................................................................................................................. 34 12.3 CONFERENCE SERVICE ADDRESS/FQDN .................................................................................................. 36



12.4 OTC PC SIP CLIENT CONFIGURATION..................................................................................................... 37

13 APPENDIX D: AAPP MEMBER’S ESCALATION PROCESS ........................................................ 39

14 APPENDIX E: AAPP PROGRAM ........................................................................................................ 40

14.1 ALCATEL-LUCENT APPLICATION PARTNER PROGRAM (AAPP) ................................................................... 40 14.2 ENTERPRISE.ALCATEL-LUCENT.COM ........................................................................................................ 41

15 APPENDIX F: AAPP ESCALATION PROCESS ............................................................................... 42

15.1 INTRODUCTION ...................................................................................................................................... 42 15.2 ESCALATION IN CASE OF A VALID INTER-WORKING REPORT ..................................................................... 43 15.3 ESCALATION IN ALL OTHER CASES ........................................................................................................... 44 15.4 TECHNICAL SUPPORT ACCESS .................................................................................................................. 45



1 Introduction

This document is the result of the certification tests performed between the AAPP member’s application and Alcatel-Lucent Enterprise’s platform.

It certifies proper inter-working with the AAPP member’s application.

Information contained in this document is believed to be accurate and reliable at the time of printing.

However, due to ongoing product improvements and revisions, ALE International cannot guarantee accuracy of printed material after the date of certification nor can it accept responsibility for errors

or omissions. Updates to this document can be viewed on:

- the Technical Support page of the Enterprise Business Portal

(https://businessportal.alcatel-lucent.com) in the Application Partner Interworking Reports corner (restricted to Business Partners)

- the Application Partner portal (https://applicationpartner.alcatel-lucent.com) with free access.

https://businessportal.alcatel-lucent.com/

https://applicationpartner.alcatel-lucent.com/



1.1 Glossary

ACS OT Collaboration server

API Application Programming Interface

AAA Authentication, Authorization and Accounting

CA Certificate Authority. It is part of a PKI. It issues and verifies digital certificates.

DMS Device Management Server

CSR Certificate Signing Request. This is file generated by a server to get signed by a

CA which will deliver a signed certificate.

DN Distinguished Name

DNS Domain Name System. Server that translates FQDN into IP addresses.

EVS Event server

FQDN Fully Qualified Domain Name. A domain name that specifies its exact location in

the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain, relative to the root domain. Ex: “myhost.mydomain.com”

IM Instant Messaging

OTC PC OpenTouch Conversation and connection for PC

OTC Web Web client used for the access to OT conference

LDAP Lightweight Directory Access Protocol. This is a directory that can be used as an

authentication server.

OT OpenTouch

OTES Opentouch Edge Server

PKI Public Key Infrastructure. It provides digital certificates that can identify an individual or an organization and directory services that can store and, when necessary,

revoke the certificates.

RADIUS Remote Authentication Dial In User Service. This is an Authentication Server.

RP Reverse Proxy

SAN Subject Alternative Name

SBC Session Border Controller

SSL – TLS Transport Layer Security (formerly Secure Socket Layer). It allows client/server applications to communicate across a network in a way designed to prevent

eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and

communications confidentiality over the Internet using cryptography.

WSS Web Socket Secure



2 Validity of the InterWorking Report

This InterWorking report specifies the products and releases which have been certified.

This inter-working report is valid unless specified until the AAPP member issues a new major release of such product (incorporating new features or functionalities), or until ALE International

issues a new major release of such Alcatel-Lucent Enterprise product (incorporating new features

or functionalities), whichever first occurs.

A new release is identified as following: a “Major Release” is any x. enumerated release. Example Product 1.0 is a major product

release.

a “Minor Release” is any x.y enumerated release. Example Product 1.1 is a minor product

release

The validity of the InterWorking report can be extended to upper major releases, if for example the

interface didn’t evolve, or to other products of the same family range. Please refer to the “IWR validity extension” chapter at the beginning of the report.

Note: The InterWorking report becomes automatically obsolete when the mentioned product releases are end of life.



3 Limits of the Technical support

Technical support will be provided only in case of a valid InterWorking Report (see chapter

Erreur ! Source du renvoi introuvable. “Validity of the InterWorking Report) and in the scope

of the features which have been certified. That scope is defined by the InterWorking report via the tests cases which have been performed, the conditions and the perimeter of the testing as well as

the observed limitations. All this being documented in the IWR. The certification does not verify the functional achievement of the AAPP member’s application as well as it does not cover load capacity

checks, race conditions and generally speaking any real customer's site conditions.

Any possible issue will require first to be addressed and analyzed by the AAPP member before being

escalated to ALE International

For any request outside the scope of this IWR, ALE International offers the “On Demand

Diagnostic” service where assistance will be provided against payment.

For more details, please refer to Appendix F “AAPP Escalation Process”.

3.1 Case of additional Third party applications In case at a customer site an additional third party application NOT provided by ALE International

is included in the solution between the certified Alcatel-Lucent Enterprise and AAPP member products, ALE International will consider that situation as to that where no IWR exists. ALE

International will handle this situation accordingly (for more details, please refer to Appendix F

“AAPP Escalation Process”).



4 Summary of test results

4.1 Summary of the main features tested

Depending on the application tested, some features might not be available, see section 4.3

Summary of limitations or chapter 8 Test Results for more details.

Feature N/A OK OK

But NOK

Application initialization and authentication

Start and stop phase

Authentication on RP using LDAP

Outgoing calls

Local call

External call

2nd outgoing call

Video call

Incoming calls

Local call

External call

2nd incoming call

Video call

Features during conversation

Hold / Resume

Back and forth

Push/Get call (Transfer to another user’s device)

Transfer

Video call

Web Services

Event notification

Voicemail

Directory search

Routing profile modification

Collaboration services

IM

Attachment / Presentation

Desktop sharing

Routing profile modification

OTC Web

Join the conference with audio

Join the conference without audio

IM

Promote leader

Attachment / Presentation

Desktop sharing



4.2 Summary of problems OT problems:

o None

NGINX problems:

o None

4.3 Summary of limitations

OT limitations:

o None

NGINX limitations: o None

4.4 Notes, remarks

The same tests could have been done with encryption of signaling (SIP-TLS) and audio (SRTP).

This has no impact on the feature tested (web services) related to the reverse proxy.

WARNING: Due to some problems found in NGINX and NGINX+ during the interworking tests, it is mandatory to use following Nginx versions:

NGINX+: version >= R10



5 Application information Application commercial name: NGINX Application version: Nginx plus R14 (1.13.7) Interface type: through configuration files

Interface version (if relevant): Brief application description:

NGINX is a lightweight, high performance web server/reverse proxy. It runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows.

Nginx is available in three versions, for technology professionals through to businesses and

enterprises. For more information: http://nginx.com/products/

NGINX Plus product is built on the open source NGINX product and includes advanced features to support mission critical production environments. In contrast to legacy hardware-based networking

appliances, NGINX Plus originates from the world of application software and provides an

innovative new set of features to bridge users and applications.

NGINX Plus frees applications from the heavy lifting of HTTP by managing all of the complexities of application request routing, application security, content delivery and acceleration without incurring

unnecessary costs in time or capital.

Advanced Features of NGINX Plus Include:

Application Health Checking

Commercial-Grade Activity Monitoring

Advanced Load Balancing

Dynamic On-The-Fly Reconfiguration

Extended Logging Capabilities

High Availability Setup

Adaptive Media Streaming

Services Available With NGINX Plus Include:

Configuration and Tuning

Performance Optimization

Technical Account Management

http://nginx.com/products/



Figure 1 Global Principle

The following diagram describes a typical redirection policy implemented on the Nginx RP for the

ALE solution.

Figure 2 Redirection policy



6 Test environment

6.1 Tests performed

This document describes the tests done for remote worker scenario and guest access to Opentouch conferences in the context of OT 2.3.1 solution with NGINX plus configured as a reverse

proxy.

OTC Clients tested in this report are:

OTC PC

OTCT/OTCV Android smartphone OTCV Android Tablet

OTCT/OTCV iPhone

OTCV ipad OTC Web with OTC Sharing (application for screen sharing)

OTC client applications use an internet connection in the WAN. Remote users are connected to the enterprise network through a reverse proxy in HTTPS/WSS and through an SBC in SIP.

The way to configure OT server, OTC clients and NGINX RP is described in the Appendix. In these

tests, Nginx is running in a linux virtual server.



6.2 General Architecture The reverse proxy manages the access to OpenTouch Web Services for remote corporate users.

OTC remote clients send web requests to NGINX Reverse Proxy which forwards the traffic to the OT server located in the trusted zone.

Users can be authenticated by the RP using LDAP or OT authentication web service.

SBC server manages SIP sessions and the media streams for audio and video.

Fig 3 Test architecture in OT2.3.1

6.2.1 OTES replacement

Before OT 2.2.1, the external access to OT conferences required the installation of an OTES server

in addition to RP and SBC.

Since OT 2.2.1, this configuration has been simplified and the OTES has been removed from the topology. It is now the role of the reverse proxy to handle following use cases:

1- Corporate remote workers authentication and access to web services and eventing. This is mostly unchanged (same as before 2.2.1)

2- Corporate access to full conference features including desktop sharing (new) 3- Anonymous access to OpenTouch conferences only (new)

When this configuration is chosen (without OTES), the RP manages the OTC client connections to Opentouch server as well as the external accesses to conference and collaboration services.



6.2.2 Virtual interfaces on RP and SBC

Since OT2.2.1, the Reverse Proxy exposes two virtual interfaces:

- Opentouch public server FQDN (pub-ot.company.com) :

Remote workers connect with OTCv clients to Opentouch services using opentouch public FQDN pub-ot.company.com exposed by the reverse proxy.

OTCv clients send HTTPS/WSS requests on port 443 and 8016 to the reverse proxy which forwards the traffic to the internal FQDN of the OT ot.company.com.

- Conferencing service FQDN (conference.company.com)

These are typically remote workers or non corporate users (guests) that join Opentouch scheduled

conferences through OTC Web application.

They use conference.company.com FQDN to reach conference and collaboration services through

HTTPS/WSS on port 443.

Conferencing FQDN must be the same in LAN and WAN: conference.company.com must be resolved by a public DNS to the RP public IP address

it must be resolved on LAN by the private DNS to OT ACS cluster IP address:

In the LAN, conference FQDN= ACS cluster FQDN

On SBC side, one public interface is needed:

- pub-sip-services.company.com: SBC FQDN for SIP and media services



6.2.3 Remote worker authentication:

In this IWR, remote users are authenticated on RP using LDAP.

As NGINX+ does not natively implement LDAP, user authentication is done by an external module

delivered by NGINX: LDAP Auth Daemon. Authentication requests are sent to this module for each

protected URL.

Hereunder is the flowchart describing the different steps of the authentication process:

More information on auth-ldap module can be found here:

http://nginx.com/blog/nginx-plus-authenticate-users/

http://nginx.com/blog/nginx-plus-authenticate-users/



6.3 Hardware configuration NGINX plus

HP Proliant DL380p Gen8 hosting vmware esxi 5.1

ALE OpenTouch:

HP Proliant DL120 G6 hosting vmware esxi 5.1

6.4 Software configuration Software configuration

NGINX Plus Reverse Proxy Deployment: Public fqdn: https://opentouch2.aapp-etesting.com

Public IP address: 89.225.243.249

Internal fqdn: rpnginx2.aapp-etesting.com

Internal IP address: 10.1.2.44 Operating system: Linux CentOS 6.8

Following Linux distributions have also been tested:

Debian 8.5 Ubuntu 14.04.4

ALE OpenTouch server:

IP address: 10.1.2.85 fqdn: ice2.aapp-etesting.com

DNS: 10.1.2.15

6.4.1 ALE OpenTouch server

OTMS version 2.3.109.003

OTC PC 2.3.100.017

OTCT/OTCV Android smartphone 2.31.02.5

OTCT/OTCV iPhone 2.31.08.07

OTCV ipad 2.20.02.004

6.4.2 Partner Application

Nginx plus R14

Ldap-auth daemon from https://github.com/nginxinc/nginx-ldap-auth

(ldap-auth is compatible with Nginx plus R14)

https://opentouch2.aapp-etesting.com/

https://github.com/nginxinc/nginx-ldap-auth



7 Test Result Template

The results are presented as indicated in the example below:

Test

Case Id

Test Case N/A OK NOK Comment

1

Test case 1 Action

Expected result

2

Test case 2 Action

Expected result

The application waits for PBX timer or

phone set hangs up

3

Test case 3

Action

Expected result

Relevant only if the

CTI interface is a direct CSTA link

4

Test case 4 Action

Expected result

No indication, no error message

… …

Test Case Id: a feature testing may comprise multiple steps depending on its complexity. Each

step has to be completed successfully in order to conform to the test. Test Case: describes the test case with the detail of the main steps to be executed the and the

expected result

N/A: when checked, means the test case is not applicable in the scope of the application OK: when checked, means the test case performs as expected

NOK: when checked, means the test case has failed. In that case, describe in the field “Comment” the reason for the failure and the reference number of the issue either on ALE International side or

on AAPP member side Comment: to be filled in with any relevant comment. Mandatory in case a test has failed especially

the reference number of the issue.



8 Test Results

In all following sections, the client under test is an external user; It has been declared on the public side of the RP. For this remote user, OTC client has been configured to connect to OT via Nginx

RP.

8.1 Client initialization and authentication These tests cover OTC clients initialization and authentication.

User authentication is performed using LDAP. LDAP requests are sent by NGINX external module

ldap-auth-daemon.

Test

Case Id


1 Application initialization

A

OTC client connection to the OT through

reverse proxy using HTTP basic authentication

Check OT login/password verification

Go through OTC application menus and verify that

the application is responding correctly.

B

OTC client connection to the OT through reverse proxy using LDAP authentication

Check credentials validation

C

OTC client connection to the OT through

reverse proxy using certificate authentication

Check OT login/password verification

Go through OTC application menus and verify that

the application is responding correctly.

Not supported on

OTC PC

3 Application exit

A

Stop OTC client.

OTC user is unregistered.



8.2 Outgoing calls

Test Case

Id


1 Internal outgoing call

A

Call from remote User A (OTC client) to User B

Check that the call is established

2 External outgoing call

A

External call from remote User A (OTC client)

to user B

Check that the call is correctly established

3 Outgoing video call

A

Video Call from remote User A (OTC client) to

user B

Check that audio/video streams are correctly established

Available on OTC PC

only

4 Second outgoing call

A

Call from remote User A (OTC client) to User B Call from remote User A (OTC client) to User C

Check that the 2nd call is correctly established

OTCV ipad, OTCV Android Tablet: Not

possible to make a

second call, the application is not

multi-line, but it is possible dial a number

to start a conference

OTC PC, OTCV

Android smartphone,

OTCV iphone



8.3 Incoming calls

Test Case

Id


1 Internal incoming call

A

Internal call from User B to User A (OTC client)

Check that the call is correctly presented and

established

2 External outgoing call

A

External call from remote User A (OTC client) to user B

Check that the call is correctly established

3 Incoming video call

A

Video call from User B to User A (OTC PC

client)

Check that the call is correctly presented and the audio/video streams are correctly established

Available on OTC PC

only

4 Second incoming call

A

Call from User B to User A (OTC client) Call from User C to User A (OTC client)

Check that the 2nd call is correctly presented and is correctly established

OTC PC, OTCV ipad,

OTCV Android, OTC iPhone: Not possible

to receive a second

call. The 2nd call is routed to the other

user’s devices or to the voice mail.



8.4 Features during conversation

Test Case

Id


1 Hold/Resume

A

Call from User A (OTC Client) to User B and establish the call.

Put User B on hold.

Verify the music on hold is played

Verify you can resume the call by clicking on it

again.

OTCV ipad, OTCV Android Tablet: hold

feature is not available

2 Back and forth

A

Call from User A (OTC Client) to User B. Establish the call.

Call from User A (OTC Client) to User C Establish the call.

User B must be put on hold.

Check that you can retrieve User B.

User C must be on hold. Check that you can retrieve User C.

User B must be on hold.

OTCV ipad, OTCV Android Tablet: Not

possible to make a second call, the

application is not multi-line

OTC PC, OTCV

Android smartphone, OTCV iphone

3

Transfer to another user’s device (Push call/Get call)

A

Internal call from User B to User A (OTC

Client), establish the communication, then OTC user transfers the call to another of his

device (OTC Phone deskphone for example)

Check that the call is correctly presented to OTC

Phone and can be correctly established

From OTC Client, get the current call again.

Check that the call is correctly presented to OTC

client and can be correctly established



Test

Case Id


4 Transfer to another user

A

Call from User A (OTC Client) to User B.

Establish the call.

Call from User A (OTC Client) to User C Establish the call.

Transfer User C to User B

OTCV ipad, OTCV

Android Tablet: Not possible to make a

second call, the application is not

multi-line

5 User picture

A

Call from User B to User A (OTC Client)

Check that the caller’s picture is correctly presented



8.5 Web services

Test Case

Id


1 Event notifications

A

Missed call event

From another user or station, call OTC Client

user but do not answer.

Check that the event logs show a missed call.

Check that it is propagated to other user’s devices. Check the that the missed call event disappears

after consultation. Check that it is propagated to other user’s devices.

B

Voice mail event

User B (OTC Phone) calls User A (OTC Client)

and leaves a message.

User A can see a voice message in his events logs.

Check that it is propagated to other user’s devices.

User A can listen to the voice message, and delete

it. The voice mail event must disappear.


2 Directory Search (dial by name)

A

User A (OTC client) calls an OT user using dial by name

Verify that dial by name feature is working. Check that the call can be established

3 Routing profile modification

A

On User A (OTC client), change the routing

profile of the remote user

Check that that the routing modification is working.




8.6 Collaboration services on OTC clients

Test

Case Id


1 IM

A

Check IM is possible between remote worker and an internal user

1

Application/desktop sharing

B

Check that presentation and sharing session is possible between remote worker and an

internal user

OTC PC, OTCV ipad, OTCV Android Tablet:

It is possible to share a presentation and to

modify it

OTCV Android

smartphone, OTCV iphone: Feature not

available

8.7 Conference and collaboration services (OTC Web) In this section all tests are performed with OTC web application (including OTC Sharing).

Test

Case

Id


1 Join a conference

A

Join conference without audio

B Join conference with audio

2

IM



Test

Case Id


A Check that the chat session is working

between remote users and internal users

3

Promote/disconnect a participant

A

Promote / unpromote a leader

B Remove a participant from the conference

4

Application/Desktop sharing

A

Desktop sharing application installation

B Document sharing

C Web presentation and annotation

D Desktop sharing session



9 Appendix A : AAPP member’s Application description

Protocols and performance • HTTP/1.1, HTTP/2, HTTPS, SPDY (depreciated), WebSocket

• IMAP, POP3, SMTP with an external HTTP based authentication

• IPv4 and IPv6 • 1 million concurrent connections

• 10,000+ virtual servers multi-tenancy • Connection multiplexing pools for low latency communications

Request Routing

• HTTP, FastCGI, SCGI, uwsgi, memcached

• Exact, prefix, regex-based URL/URI path switching • Reverse proxy and load balancer with round-robin,least-connected, ip-hash

• Session persistence • Application backend health monitoring

SSL Termination • TLSv1.1/TLSv1.2/SSL/SNI/PFS/PCI-DSS

• OCSP Stapling

Security • Bandwidth, connection and request policing

• Protocol isolation and request filtering

• Header manipulation

Edge Cache and Origin Server • Content offload and caching

• On-the-fly content compression and optimization

• HTTP video streaming with MP4/FLV/HDS/HLS

Configuration and Management • Live reconfiguration of server pools to change

upstream settings on the fly

• Activity monitoring • Geo-IP configuration

• Logging to syslog

High Availability • Active-Standby (NGINX AMI on EC2 only)

• Live binary upgrades to eliminate downtime

• Graceful restart with non-stop request processing

Supported Operating Systems and Architectures • Ubuntu, Debian, CentOS, Amazon Linux, Red Hat,

SuSE, Solaris, SmartOS, *BSD

• x86_64, i386, ARM



10 Appendix B: Configuration requirements of the AAPP member’s application

Please note that complementary information can be found in Technical Communication TC2257

available on the Business Portal.

After having installed nginx on your server (download the rpm, then yum install nginx on CentOS),

following steps are needed before starting the tests:

10.1 Nginx certificate for SSL For this IWR, the Root CA of etesting lab PKI has been used to sign OT and RP certificates.

The RP certificate has been generated with subject CN=<OT public FQDN> and SAN field including ACS cluster FQDN

Note: A wildcard server certificate could also have been deployed.

The location for NGINX certificate and its private key is configurable in the config file: ssl_certificate /etc/nginx/cert/cert.pem; ssl_certificate_key /etc/nginx/key/cert.key;

10.2 LDAP authentication module

LDAP user authentication is done using ldap-auth daemon developed by NGINX.

Module installation:

Prerequisites: python2 and python-ldap modules must be installed on the server.

nginx-ldap-auth-daemon.py: Python code for the ldap-auth daemon

nginx-ldap-auth-daemon-ctl.sh (optional): Sample shell script for starting and stopping the daemon. Install on the same host as the ldap-auth daemon.

Copy the files ngx-ldap-auth-daemon.py and nginx-ldap-auth-daemon-ctl.sh on your server and lauch the control script:

nginx-ldap-auth-daemon-ctl.sh start By default, ldap-auth-daemon listens on port 8888.

Modify NGINX ldap configuration file as stated in section 10.3 with your LDAP server settings.

Now each client requests to a protected location are authenticated using the credentials provided in the login screen of OTC clients.

Here are the logs of the ldap daemon for one authentication request:



For each protected URL, NGINX sets a cookie with the provided login/password and save it to cache. LDAP requests are done on a frequency depending on the cache key lifetime. By default, the

time which a response is cached isn’t limited. But this can be modified by proxy_cache_valid directive. In following configuration file, it has been set to 10mn. Once the cache is cleared, at next

attempt from the client to access a protected URL, NGINX will start a new request to auth daemon

by sending the cookie. Auth daemon decrypts the cookie and starts the LDAP request. The user does not have to re-enter his credentials.

More information on installation and configuration here:


10.3 Configuration files

The configuration files provided in the archive must be copied in /etc/nginx/conf.d/ except nginx.conf which should be copied in /etc/nginx/

After having adapted the files according to your needs (fqdn, ssl, ldap configuration ...) , we recommend running the “nginx –t” command to verify that the files are valid.

To start/stop NGINX process:

/etc/init.d/nginx start/stop/restart

Or if it is already running, run the following command to reload the configuration file:

nginx -s reload

There are 2 main configuration files corresponding to the 2 hostnames proxied:

opentouch2.aapp-etesting.com.conf

hostname opentouch2.aapp-etesting.com (OpenTouch fqdn):

Used by remote OT clients to interact with OpenTouch server. The authentication is performed in LDAP before accessing to OT services. This interface exposes the public FQDN of the OpenTouch

server (API public URL) as defined in 8770 for OT Reverse Proxy parameters (see section Reverse proxy configuration).

conf2.aapp-etesting.com.conf: conf2.aapp-etesting.com (conference service fqdn)

This interface exposes the “conferencing service FQDN or ACS service FQDN”, as defined in OT

post-install wizard (see section Reverse proxy configuration).

As conferences can be accessed by external guests which are not authenticated by the RP, filtering rules are applied to control the access to conference and collaboration ressources.

Conferencing service FQDN can be found on WBM, refer to section Reverse proxy configuration.

There are 3 possible deployment scenario:

1. remote workers only: In that case, you can only install opentouch2.aapp-etesting.com file

and associated ssl and ldap files

2. anonymous guests only (no remote worker): In that case, you can install conf2.aapp-

etesting.com file and associated ssl and global variables files.




3. both of the above : all the files are needed

Notes:

RP listens to ports 443 and 8016

chunk mode must be enabled (should be by default) proxy buffering has been disabled

To download an example of configuration file, refer to the Technical Communication TC2257 where a FTP server is mentionned for that.

10.4 Firewall configuration On the server where the RP is running, configure the firewall to accept packets on port 443, 8443

and 8016:

iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 8016 -j ACCEPT

10.5 Nginx Plus sizing guide for OpenTouch

Following figures are recommendations of sizing based on typical busy hour load of 5 call/h/user

and corresponding level of other collaboration features usage, and the sizing includes a significant safety margin to comply more intensive usages. Observations of the CPU and memory consumption

under real customer deployment conditions should be done to adjust the sizing to end customer real needs.

Number of Remote Clients NGINX sizing recommendation

Up to 500 1 core VM, 1GB RAM*

*OS RAM excluded

Up to 1500 2 cores VM, 2GB RAM

Up to 5000 4 cores VM, 4GB RAM



11 Appendix C : DNS entries

Public DNS entries:

FQDN Name IP address

OT public fqdn opentouch2.aapp-etesting.com RP public IP address

Conference fqdn conf2.aapp-etesting.com RP public IP address

SBC fqdn sbc2.aapp-etesting.com SBC public IP address

Internal DNS entries:

FQDN Name IP address

OT internal fqdn ice2.etesting.lab OT IP address

Conference fqdn (*) conf2.aapp-etesting.com (*) ACS cluster IP address cf (*)

(*): for ACS cluster fqdn/IP see section 12.3 Conference service address/FQDN



12 Appendix D: Alcatel-Lucent Enterprise Communication Platform: configuration requirements

12.1 Reverse proxy configuration on OT For more details, please refer to technical OT documentation.

To declare the reverse proxy and the mapping between public and private URLs of servers, select System services > Topology > Reverse proxy

OT is listening on 2 ports:

- 443 for web services - 8016 for event management

• API: enter the public FQDN of the OpenTouch server • EVS: enter the public FQDN of the OpenTouch server followed by the 8016 port

Number • ACS:

• If there is no OTES (OpenTouch Edge Server), enter the public FQDN of the OpenTouch

server • If there is an OTES, enter the ACS Cluster Name/FQDN.

• DMS (Device Management): enter the public FQDN of the OpenTouch server followed by the path

/DM/MYICPCSIP



12.2 SBC configuration on OT A SBC is needed for SIP signaling and audio management. Here is the way to declare it on the OT.

SBC configuration is not detailed here.

SBC declaration on user side (Windows Desktop) :



12.3 Conference service address/FQDN

ACS cluster FQDN and IP are configured during OpenTouch post installation:

To find OT conference FQDN and IP address (ACS cluster FQDN), open the WBM tool,

open the collaboration services, configuration window on the OpenTouch Select Domains, click the Edit button in the Settings column

If the ACS Cluster is not configured at OpenTouch post-installation (Conferencing Service address

not configured), it can be created using OpenTouch rehosting operation (see TC 1986).



12.4 OTC PC SIP client configuration During the installation process or at connection time, modify Reverse access entries with public URL

of your reverse proxy and ldap credentials of the user (they might be different from the OT login/password).



Create a new profile “remote_worker”:



13 Appendix D: AAPP member’s escalation process

In order to get support from NGINX, customer will need to subscribe to either NGINX Plus Standard

or NGINX Plus Premium version. The difference in the versions is described at


Subscribed customers can open service requests through the NGINX Customer Portal at

http://cs.nginx.com/


http://cs.nginx.com/



14 Appendix E: AAPP program

14.1 Alcatel-Lucent Application Partner Program (AAPP)

The Application Partner Program is designed to support companies that develop communication applications for the enterprise market, based on Alcatel-Lucent Enterprise's product family.

The program provides tools and support for developing, verifying and promoting compliant third-party applications that complement Alcatel-Lucent Enterprise's product family. ALE International

facilitates market access for compliant applications.

The Alcatel-Lucent Application Partner Program (AAPP) has two main objectives:

Provide easy interfacing for Alcatel-Lucent Enterprise communication products: Alcatel-Lucent Enterprise's communication products for the enterprise market include

infrastructure elements, platforms and software suites. To ensure easy integration, the

AAPP provides a full array of standards-based application programming interfaces and fully-documented proprietary interfaces. Together, these enable third-party applications to

benefit fully from the potential of Alcatel-Lucent Enterprise products.

Test and verify a comprehensive range of third-party applications:

to ensure proper inter-working, ALE International tests and verifies selected third-party

applications that complement its portfolio. Successful candidates, which are labelled Alcatel-Lucent Enterprise Compliant Application, come from every area of voice and data

communications.

The Alcatel-Lucent Application Partner Program covers a wide array of third-party applications/products designed for voice-centric and data-centric networks in the enterprise market,

including terminals, communication applications, mobility, management, security, etc.



Web site

The Application Partner Portal is a website dedicated to the AAPP program and where the

InterWorking Reports can be consulted. Its access is free at http://applicationpartner.alcatel-lucent.com

14.2 Enterprise.Alcatel-Lucent.com

You can access the Alcatel-Lucent Enterprise website at this URL: http://www.enterprise.alcatel-lucent.com/

http://applicationpartner.alcatel-lucent.com/

http://www.enterprise.alcatel-lucent.com/

http://www.enterprise.alcatel-lucent.com/



15 Appendix F: AAPP Escalation process

15.1 Introduction

The purpose of this appendix is to define the escalation process to be applied by the ALE

International Business Partners when facing a problem with the solution certified in this document.

The principle is that ALE International Technical Support will be subject to the existence of a valid

InterWorking Report within the limits defined in the chapter “Limits of the Technical support”.

In case technical support is granted, ALE International and the Application Partner, are engaged as following:

(*) The Application Partner Business Partner can be a Third-Party company or the ALE

International Business Partner itself



15.2 Escalation in case of a valid Inter-Working Report The InterWorking Report describes the test cases which have been performed, the conditions of the

testing and the observed limitations.

This defines the scope of what has been certified.

If the issue is in the scope of the IWR, both parties, ALE International and the Application Partner,

are engaged:

Case 1: the responsibility can be established 100% on ALE International side.

In that case, the problem must be escalated by the ALE Business Partner to the ALE

International Support Center using the standard process: open a ticket (eService Request –eSR)

Case 2: the responsibility can be established 100% on Application Partner side.

In that case, the problem must be escalated directly to the Application Partner by opening a

ticket through the Partner Hotline. In general, the process to be applied for the Application Partner is described in the IWR.

Case 3: the responsibility can not be established.

In that case the following process applies:

The Application Partner shall be contacted first by the Business Partner (responsible for

the application, see figure in previous page) for an analysis of the problem.

The ALE International Business Partner will escalate the problem to the ALE International Support Center only if the Application Partner has demonstrated with

traces a problem on the ALE International side or if the Application Partner (not the

Business Partner) needs the involvement of ALE International

In that case, the ALE International Business Partner must provide the reference of the Case Number on the Application Partner side. The Application Partner must provide to ALE

International the results of its investigations, traces, etc, related to this Case Number.

ALE International reserves the right to close the case opened on his side if the

investigations made on the Application Partner side are insufficient or do not exist. Note: Known problems or remarks mentioned in the IWR will not be taken into account.

For any issue reported by a Business Partner outside the scope of the IWR, ALE International offers

the “On Demand Diagnostic” service where ALE International will provide 8 hours assistance against payment .

IMPORTANT NOTE 1: The possibility to configure the Alcatel-Lucent Enterprise PBX with ACTIS

quotation tool in order to interwork with an external application is not

the guarantee of the availability and the support of the solution. The reference remains the existence of a valid InterWorking Report.

Please check the availability of the Inter-Working Report on the AAPP (URL:

https://private.applicationpartner.alcatel-lucent.com) or Enterprise Business Portal (Url: Enterprise Business Portal) web sites.

IMPORTANT NOTE 2: Involvement of the ALE International Business Partner is mandatory, the access to the Alcatel-Lucent Enterprise platform (remote access, login/password) being the

Business Partner responsibility.

https://private.applicationpartner.alcatel-lucent.com/

https://businessportal.alcatel-lucent.com/alugesdp/faces/gesdp/products/Listing.jspx?DOCTYPE=Technical_Documentation/Interworking_Reports&RESULTSBYPAGE=25&BOXES=partner,product&OPENFOLDER=doctype.Interworking_Reports&_afPfm=2

https://businessportal.alcatel-lucent.com/alugesdp/faces/gesdp/products/Listing.jspx?DOCTYPE=Technical_Documentation/Interworking_Reports&RESULTSBYPAGE=25&BOXES=partner,product&OPENFOLDER=doctype.Interworking_Reports&_afPfm=2



15.3 Escalation in all other cases These cases can cover following situations:

1. An InterWorking Report exist but is not valid (see Chap Erreur ! Source du renvoi

introuvable. “Validity of an Interworking Report”)

2. The 3rd party company is referenced as AAPP participant but there is no official

InterWorking Report (no IWR published on the Enterprise Business Portal for Business Partners or on the Alcatel-Lucent Application Partner web site) ,

3. The 3rd party company is NOT referenced as AAPP participant

In all these cases, Alcatel-Lucent offers the “On Demand Diagnostic” service where ALE International will provide 8 hours assistance against payment.



15.4 Technical support access The ALE International Support Center is open 24 hours a day; 7 days a week:

e-Support from the Application Partner Web site (if registered Alcatel-Lucent Application

Partner): http://applicationpartner.alcatel-lucent.com e-Support from the ALE International Business Partners Web site (if registered Alcatel-

Lucent Enterprise Business Partners): https://businessportal.alcatel-lucent.com click under

“Contact us” the eService Request link e-mail: [email protected]

Fax number: +33(0)3 69 20 85 85

Telephone numbers:

ALE International Business Partners Support Center for countries:

Country Supported language Toll free number

France

French

+800-00200100

Belgium

Luxembourg

Germany

German Austria

Switzerland

United Kingdom

English

Italy

Australia

Denmark

Ireland

Netherlands

South Africa

Norway

Poland

Sweden

Czech Republic

Estonia

Finland

Greece

Slovakia

Portugal

Spain Spanish

For other countries:

English answer: + 1 650 385 2193

French answer: + 1 650 385 2196 German answer: + 1 650 385 2197

Spanish answer: + 1 650 385 2198

END OF DOCUMENT

http://applicationpartner.alcatel-lucent.com/

https://businessportal.alcatel-lucent.com/

ale application partner program inter-working report...edition 4: minor changes in nginx config file...

Documents