Chris Clauss - ConvergeOne

Devin Blagbrough – ConvergeOne

Get this presentation – http://bit.ly/iaugpres

Zero Touch

Configuration - 1110

Thanks for coming!

Please ask questions!

Let’s make this time together worthwhile!

Get this presentation

http://bit.ly/iaugpres

Why do we want to make it easy?

Avaya provides many different endpoint devices.Devices are deployed everywhere – office / remote office / home office.Want devices to plug and play.Moving towards a mobile first solutions – IOS / Android.Allow for single sign on / profile based options.Allow for application integration / directory lookups / calendar.Allow for user self service – “just ship me a phone or app.”

What does all this stull mean?AADS Utility Server

DES HTTP IIS DNS DHCP

Linux PTR

What are the drivers?

End goal: users can setup their own devices• Fewer helpdesk tickets• Ease of Company PC / laptop reimage• Phone replacements• Extra devices / smartphones• Personal PCs at home

Need for security• Tied to customer’s LDAP / Active Directory logins

and their change policies• Strong Complex passwords – not numeric

passwords • LDAP integration allows for Two Factor / Multi

Factor Authentication

SMGR still must be configured with station logins and complex passwords.

Users want an app store experience…

Hard phones

• 9600 Series • 9620 / 9630 / 9640 / 9650 – older release / end of

sale / limited firmware• 9611 / 9621 / 9641 / 9608 – current release / end

of sale / supported firmware

• J Series – J1XX• New design – support h.323 / SIP firmware• Support traditional configuration process• Also support Device Enablement Services• Support WIFI

• Vantage – (aka K Series)• Elegant Android Based touch screen phones• Available with wireless headset / keypad• Support Avaya Aura Device Services• Support WIFI

Boot Process for Physical Sets

• Phones require power – generally provided via POE or a power brick. Brick ideal for home office or WIFI

• Phones will boot on the network – default VLAN

• Phones will seek IP address from DHCP server.

• DHCP Server – usually a Windows / Linux Server or a router.

• DHCP Server provides IP address information to the phone

• DHCP Server also can provide additional options.

Example – Windows DHCP Server

• DHCP – IP address and other options.• Custom option 242 added for Avaya sets. Points phone to a web server that

provides configuration file. Can also override VLAN phone is on.

Example – Cisco Router Configuration

ip dhcp pool VoIP

network 172.31.70.0 255.255.255.0

default-router 172.31.70.1

domain-name company.com

option 242 ascii

MCIPADD=172.31.70.100,MCPORT=1719, CM h.323 IP address

HTTPSRVR=172.30.70.200, Web Server for config

L2QVLAN=5 VOIP VLAN

If phones receive a different VLAN via DHCP, they will reboot and seek DHCP in the “new” VLANHTTPSRVR is most important option so phone can get configuration files.Notes – if using older phones, duplicate option 242 to 176

Phones next will look for firmware

Set seeks the “upgrade” file which is different for h.323 / sip – pulls the file and compares firmware file in place with firmware version in upgrade file. If different it will download the upgrade and install firmware – several minutes and perhaps several restarts.Firmware files are placed on the web server “root” folder.

Windows – c:\inetpub\wwwrootLinux - /var/www/html

Phone Configuration

After firmware is upgrade – phone will seek a configuration fileFile name is 46xxsettings.txt (by default). 46xx were the first IP sets to use this file.46xxsettings.txt is located in the same folder.Can be a large file – many options these days.

46xxsettings.txt

Simply a text file with options. Here is a simple example

#SIP OPTIONSSET SIPDOMAIN clauss.orgSET SIP_CONTROLLER_LIST 172.30.0.133:5061;transport=tlsSET SIMULTANEOUS_REGISTRATIONS 2#h.323 OPTIONSSET MCIPADD 172.30.0.130#General OPTIONSSET GMTOFFSET -5:00SET NO_DIGITS_TIMEOUT 60SET TRUSTCERTS SystemManagerCA.cacert.txtSET TLSSRVRID 0SET PROCPSWD 27238

More advanced 46xxsettings.txt

Settings file has a global options section, and group section. Phone group can be set from the keypad, or from CM station configuration.

# GROUP_SETTINGSIF $GROUP SEQ 1 GOTO GROUP_1IF $GROUP SEQ 2 GOTO GROUP_2GOTO END

# GROUP_1SET GMTOFFSET -6:00

GOTO END

# GROUP_2SET GMTOFFSET -7:00

GOTO END

# END

Changing Group ID from CM

Updated group ID will be used at next reboot.

Devin says – this is a problem for SIP sets on reboot!

So we need a file server…

Several options

• Avaya Utility Server – available through release 7• VMWare based image that provides a file server among other things • Can provide 46xxsettings and phone firmware / also host phone backups• Discontinued in release 8• Problem for R8 customers. Avaya added simple file server to CM for S8300 remote

sites.

• Windows IIS Server• Easy to configure web server. Licensed - $

• Linux• Fairly easy to configure – CentOS and other distributions free.

• AADS• Avaya’s new solution for endpoint configuration – more on that later.

• S8300 Server starting in R8.1 – CM provides a file server. Blade only!

File Server Location

File server can be centrally deployed• Configuration of all devices from a single location• Use GROUP settings for customization by location• Will require all phones to pull settings and firmware across the WAN.

Each location can have a file server.• Each location can use a custom configuration• Multiple servers to manage and maintain• Better leverages WAN bandwidth

Avaya direction – use AADS at the core, and provide local file server on CM for remote locations. Local file server available on S8300 LSP CM template only.

Phones also use the file server for backups. Can be central or remote…

How do you know your file server is working?

Just try to download a config file from a browser

What are the problems?

Simple configuration if we can control DHCP and web server, but...

• Cloud based systems.• Remote workers.• Branch / Small / Home office.• Mobile devices.• Phones anywhere with SBC.

How to configure DHCP and OPTIONSif we have no control over the local network, or don’t want to touch it?

Simple solution is to hardcode each set with IP information and address of file server, but we just want to ship a set and plug it in and have it work.

Enter Device Enablement Service

New sets support Device Enablement Services (J/K)

DES is –• Avaya’s hosted configuration server• Completely optional – don’t need to use it

After phone boots it asks if you wish to use DES.• If “no” or nothing is selected,

the device will default to existing configuration mechanism via DHCP setting options

• If DHCP does not return anything then the phone will prompt the user for an Enrollment code

• If “yes” is selected, the device will contact DES and get redirected to the URL of the provisioning server – aka the file server we just talked about.

Attempts to contact internet based DES server.

• Customers or partners administer a record matching the phone MAC / Serial Number on the DES server

• Optionally, a code can be forced to be entered on the phone to validate the phone (protect against MAC spoofing)

• DES server responds to phone with the location of the HTTP/HTTPS server used for configuration. The server can be located anywhere – private / public. The file server is NOT hosted in DES.

• Free service.

DES does require a connection to internet DES server –hosted by Avaya in AWS.

Administering DES

Login to https://des.avaya.com

Create a provisioning URL.

Create the customer account, site, and assign the server URL.

Claim device(s) and Activate them for use.

Associate the devices with the customer site

Validate the device assignment in Device Details

1

2

3

4

5

6

DES Web Administration

DES Web Administration

DES Web Administration

DES Web Administration

Great solution for sets, but…

New Avaya sets and DES provide an easy way to get a brand new set out of box to find the configuration server.

Most customers looking to do more with a mobile first configurations. How to handle softphone clients?

Traditional 1X Series Communicator can use settings file for configuration (ask us after)

For truly mobile first experience, IX Workplace is the solution – robust consistent interface across Windows / Mac / IOS / Android devices.

Mobile First Experience needs…

• Install the app and go – app store experience.• Users just want it to work – they don’t want to call

someone to configure it.• Use single sign on for secure access to corporate

resources.• Provide access to enterprise directory services for

user/phone lookup.• Ease of update to new versions – app store

experience.• Ease of update to new configuration.• Better security – don’t use station passwords.• Apply configurations to groups of users.• Avoid complicated scripting.

Enter Avaya Aura Device Services

Delivers an automated, user-tailored, dynamic configuration, single sign on, and unified contacts.

Administrators manage user configurations across the enterprise from a single pain of glass.

Can push softphone settings to the enterprise, a group, or individual users.

Contains a “stripped down” Utility server to provide configuration files to 96xx / J series sets.

Can be clustered to provide high availability. Note that you need a Load Balancer in front of AADS for public clustering (ask us later). Internal cluster can point to a virtual IP, but all servers must be on the same subnet.

End user self configuration

How does AADS work?

For autoconfiguration to work, the client needs to be able to find configuration servers based on DNS.

When the user enters their email address,client looks up DNS domain name and pulls

a special DNS pointer (PTR) record

Pointer in the form of _avaya-ep-config._tcp.company.com

For example _avaya-ep-config._tcp.c1cx.com

How does AADS work

DNS DIG with G Suite Toolbox - https://toolbox.googleapps.com/apps/dig

How does AADS work

• If a record exists, the client will connect to the AADS server specified by the record.

• If multiple records exist, the client will be presented with a list of configuration servers – for example, USA / EMEA / APAC

Client will then resolve the PTR record to Server Record (SRV) in DNS with port information

How does AADS work

• Client then will query DNS TXT record to obtain the path for configuration.

Note – if customer has many email domains, several PTR records can point to the same TXT record.

How does AADS work

• Client will then put it all together to find the configuration file

For example https://46xxdemo.c1cx.com:443/acs/resources/configurations

If we browse to the page, we are asked for a sign on-client already has that!

How does AADS work

Client sends the user info, device type to AADS. AADS confirms group settings, global options, and builds “46xxsettings.txt” file on the fly…

Dynamic Configuration of end users

Settings can be assigned at the following categories…EXCEPTIONS/ PLATFORM / USER / PHONE MODEL / GROUP

/ GLOBAL

Settings applied to the above categories are layered in order to build the final set of settings. Any setting that is set in multiple categories will get overwritten by the category with highest precedence

Platform settings apply to OS, Android, Windows or Macintosh

Group settings are applied to all users within the named LDAP group

Global settings apply to all users

Dynamic Configuration of end users

How does AADS pair an LDAP username with a configuration in System Manager?

• A matching field is used to pair an LDAP (Active Directory) user with a System Manager user.

• Good example is email address – username@company.com

After user enters their login / password,AADS queries the LDAP to validate login,fetches the matching field, builds a dynamicconfiguration, and pulls user profile infofrom System Manager

AADS Dynamic Configuration Example

AADS Dynamic Configuration Example

AADS Dynamic Configuration Example

Online help available for settings…

AADS uses customer LDAP

AADS leverages the customer LDAP server (Active Directory) to provide services.

- Single Sign On – what was shown previously. - LDAP Group membership to allow

configuration by role- Also acts as a proxy for directory lookups so

clients do not access directory services directly (problematic for firewalls & reduces CALs needed)

Some things to think about…

Devin want’s you to know…

• AADS - 1 DNS PTR record per email domain• Can be a problem for companies with many email domains, acquired companies,

single config URI, but can use same TXT & SRV over and over• Split horizon DNS required for internal / external resolution (ask us later)• DNS has to match certificate SAN information for HTTPS• Can point to a static config file even if no AADS or works with AADS• Configuration server can be a Utility Server or customer provided web

server if you don’t want to use AADS.• Can use HTTP with TXT value “proto=http” instead of HTTPS if you wish• Devices will ignore settings not relevant to them – i.e. IOS10CALLKIT

ignored in Windows / OUTLOOK_CALL_CONTACT ignored in iOS / Android• Keep it simple – put configs in by GROUP – avoid device type• One LDAP Security Group per extension length –

COMM_ADDR_HANDLE_LENGTH

Some things to think about…

Chris want’s you to know…

To successfully integrate these solutions, telecom teams need to partner with customer technology teams. Need to support

- LDAP integrations.- DNS integration and configuration – internal and external.- Network and firewall configurations.- Security requirements for certificate, SSO, HTTPS, and 2FA.

And some security issues…

• Two factor authentication (2FA) is becoming more important to many customers

• Security teams require 2FA authentication against LDAP / Active Directory servers.

• Exchange Web Services may require 2FA.

Good news is that the latest clients support 2FA, but the configuration is NOT simple. Good understanding of the technology and integration are required.

Devin says – FYI - 2FA Uses KeyCloak open source software on AADS

Conclusions

• Avaya offers different configuration applications.

• Support is still available for static file based configurations.

• Dynamic, authenticated, group based configuration is the future.

• Overhead to set up systems like AADS pays off when compared to the day to day maintenance / tickets / MAC.

• Understanding of services like HTTPS files services, DHCP for IP address configuration, LDAP, and DNS are important – partner with your IT organization.

What’s the best way for you to get help these configurations?

- Come ask us questions- www.convergeone.com- Thanks for attending!

Chris Clausscclauss@convergeone.com

Find the best partner – here at the show!

Please fill out your session survey! Session 1110

Please tweet about the presentation if you liked it - @clauss

Devin Blagbroughdblagbrough@convergeone.com

Get this presentation – http://bit.ly/iaugpres