zero touch configuration - 1110 · 2020-02-11 · enter avaya aura device services delivers an...
TRANSCRIPT
Chris Clauss - ConvergeOne
Devin Blagbrough – ConvergeOne
Get this presentation – http://bit.ly/iaugpres
Zero Touch
Configuration - 1110
Thanks for coming!
Please ask questions!
Let’s make this time together worthwhile!
Why do we want to make it easy?
Avaya provides many different endpoint devices.Devices are deployed everywhere – office / remote office / home office.Want devices to plug and play.Moving towards a mobile first solutions – IOS / Android.Allow for single sign on / profile based options.Allow for application integration / directory lookups / calendar.Allow for user self service – “just ship me a phone or app.”
What does all this stull mean?AADS Utility Server
DES HTTP IIS DNS DHCP
Linux PTR
What are the drivers?
End goal: users can setup their own devices• Fewer helpdesk tickets• Ease of Company PC / laptop reimage• Phone replacements• Extra devices / smartphones• Personal PCs at home
Need for security• Tied to customer’s LDAP / Active Directory logins
and their change policies• Strong Complex passwords – not numeric
passwords • LDAP integration allows for Two Factor / Multi
Factor Authentication
SMGR still must be configured with station logins and complex passwords.
Users want an app store experience…
Hard phones
• 9600 Series • 9620 / 9630 / 9640 / 9650 – older release / end of
sale / limited firmware• 9611 / 9621 / 9641 / 9608 – current release / end
of sale / supported firmware
• J Series – J1XX• New design – support h.323 / SIP firmware• Support traditional configuration process• Also support Device Enablement Services• Support WIFI
• Vantage – (aka K Series)• Elegant Android Based touch screen phones• Available with wireless headset / keypad• Support Avaya Aura Device Services• Support WIFI
Boot Process for Physical Sets
• Phones require power – generally provided via POE or a power brick. Brick ideal for home office or WIFI
• Phones will boot on the network – default VLAN
• Phones will seek IP address from DHCP server.
• DHCP Server – usually a Windows / Linux Server or a router.
• DHCP Server provides IP address information to the phone
• DHCP Server also can provide additional options.
Example – Windows DHCP Server
• DHCP – IP address and other options.• Custom option 242 added for Avaya sets. Points phone to a web server that
provides configuration file. Can also override VLAN phone is on.
Example – Cisco Router Configuration
ip dhcp pool VoIP
network 172.31.70.0 255.255.255.0
default-router 172.31.70.1
domain-name company.com
option 242 ascii
MCIPADD=172.31.70.100,MCPORT=1719, CM h.323 IP address
HTTPSRVR=172.30.70.200, Web Server for config
L2QVLAN=5 VOIP VLAN
If phones receive a different VLAN via DHCP, they will reboot and seek DHCP in the “new” VLANHTTPSRVR is most important option so phone can get configuration files.Notes – if using older phones, duplicate option 242 to 176
Phones next will look for firmware
Set seeks the “upgrade” file which is different for h.323 / sip – pulls the file and compares firmware file in place with firmware version in upgrade file. If different it will download the upgrade and install firmware – several minutes and perhaps several restarts.Firmware files are placed on the web server “root” folder.
Windows – c:\inetpub\wwwrootLinux - /var/www/html
Phone Configuration
After firmware is upgrade – phone will seek a configuration fileFile name is 46xxsettings.txt (by default). 46xx were the first IP sets to use this file.46xxsettings.txt is located in the same folder.Can be a large file – many options these days.
46xxsettings.txt
Simply a text file with options. Here is a simple example
#SIP OPTIONSSET SIPDOMAIN clauss.orgSET SIP_CONTROLLER_LIST 172.30.0.133:5061;transport=tlsSET SIMULTANEOUS_REGISTRATIONS 2#h.323 OPTIONSSET MCIPADD 172.30.0.130#General OPTIONSSET GMTOFFSET -5:00SET NO_DIGITS_TIMEOUT 60SET TRUSTCERTS SystemManagerCA.cacert.txtSET TLSSRVRID 0SET PROCPSWD 27238
More advanced 46xxsettings.txt
Settings file has a global options section, and group section. Phone group can be set from the keypad, or from CM station configuration.
# GROUP_SETTINGSIF $GROUP SEQ 1 GOTO GROUP_1IF $GROUP SEQ 2 GOTO GROUP_2GOTO END
# GROUP_1SET GMTOFFSET -6:00
GOTO END
# GROUP_2SET GMTOFFSET -7:00
GOTO END
# END
Changing Group ID from CM
Updated group ID will be used at next reboot.
Devin says – this is a problem for SIP sets on reboot!
So we need a file server…
Several options
• Avaya Utility Server – available through release 7• VMWare based image that provides a file server among other things • Can provide 46xxsettings and phone firmware / also host phone backups• Discontinued in release 8• Problem for R8 customers. Avaya added simple file server to CM for S8300 remote
sites.
• Windows IIS Server• Easy to configure web server. Licensed - $
• Linux• Fairly easy to configure – CentOS and other distributions free.
• AADS• Avaya’s new solution for endpoint configuration – more on that later.
• S8300 Server starting in R8.1 – CM provides a file server. Blade only!
File Server Location
File server can be centrally deployed• Configuration of all devices from a single location• Use GROUP settings for customization by location• Will require all phones to pull settings and firmware across the WAN.
Each location can have a file server.• Each location can use a custom configuration• Multiple servers to manage and maintain• Better leverages WAN bandwidth
Avaya direction – use AADS at the core, and provide local file server on CM for remote locations. Local file server available on S8300 LSP CM template only.
Phones also use the file server for backups. Can be central or remote…
How do you know your file server is working?
Just try to download a config file from a browser
What are the problems?
Simple configuration if we can control DHCP and web server, but...
• Cloud based systems.• Remote workers.• Branch / Small / Home office.• Mobile devices.• Phones anywhere with SBC.
How to configure DHCP and OPTIONSif we have no control over the local network, or don’t want to touch it?
Simple solution is to hardcode each set with IP information and address of file server, but we just want to ship a set and plug it in and have it work.
Enter Device Enablement Service
New sets support Device Enablement Services (J/K)
DES is –• Avaya’s hosted configuration server• Completely optional – don’t need to use it
After phone boots it asks if you wish to use DES.• If “no” or nothing is selected,
the device will default to existing configuration mechanism via DHCP setting options
• If DHCP does not return anything then the phone will prompt the user for an Enrollment code
• If “yes” is selected, the device will contact DES and get redirected to the URL of the provisioning server – aka the file server we just talked about.
Attempts to contact internet based DES server.
• Customers or partners administer a record matching the phone MAC / Serial Number on the DES server
• Optionally, a code can be forced to be entered on the phone to validate the phone (protect against MAC spoofing)
• DES server responds to phone with the location of the HTTP/HTTPS server used for configuration. The server can be located anywhere – private / public. The file server is NOT hosted in DES.
• Free service.
DES does require a connection to internet DES server –hosted by Avaya in AWS.
Administering DES
Login to https://des.avaya.com
Create a provisioning URL.
Create the customer account, site, and assign the server URL.
Claim device(s) and Activate them for use.
Associate the devices with the customer site
Validate the device assignment in Device Details
1
2
3
4
5
6
DES Web Administration
DES Web Administration
DES Web Administration
DES Web Administration
Great solution for sets, but…
New Avaya sets and DES provide an easy way to get a brand new set out of box to find the configuration server.
Most customers looking to do more with a mobile first configurations. How to handle softphone clients?
Traditional 1X Series Communicator can use settings file for configuration (ask us after)
For truly mobile first experience, IX Workplace is the solution – robust consistent interface across Windows / Mac / IOS / Android devices.
Mobile First Experience needs…
• Install the app and go – app store experience.• Users just want it to work – they don’t want to call
someone to configure it.• Use single sign on for secure access to corporate
resources.• Provide access to enterprise directory services for
user/phone lookup.• Ease of update to new versions – app store
experience.• Ease of update to new configuration.• Better security – don’t use station passwords.• Apply configurations to groups of users.• Avoid complicated scripting.
Enter Avaya Aura Device Services
Delivers an automated, user-tailored, dynamic configuration, single sign on, and unified contacts.
Administrators manage user configurations across the enterprise from a single pain of glass.
Can push softphone settings to the enterprise, a group, or individual users.
Contains a “stripped down” Utility server to provide configuration files to 96xx / J series sets.
Can be clustered to provide high availability. Note that you need a Load Balancer in front of AADS for public clustering (ask us later). Internal cluster can point to a virtual IP, but all servers must be on the same subnet.
End user self configuration
How does AADS work?
For autoconfiguration to work, the client needs to be able to find configuration servers based on DNS.
When the user enters their email address,client looks up DNS domain name and pulls
a special DNS pointer (PTR) record
Pointer in the form of _avaya-ep-config._tcp.company.com
For example _avaya-ep-config._tcp.c1cx.com
How does AADS work
DNS DIG with G Suite Toolbox - https://toolbox.googleapps.com/apps/dig
How does AADS work
• If a record exists, the client will connect to the AADS server specified by the record.
• If multiple records exist, the client will be presented with a list of configuration servers – for example, USA / EMEA / APAC
Client will then resolve the PTR record to Server Record (SRV) in DNS with port information
How does AADS work
• Client then will query DNS TXT record to obtain the path for configuration.
Note – if customer has many email domains, several PTR records can point to the same TXT record.
How does AADS work
• Client will then put it all together to find the configuration file
For example https://46xxdemo.c1cx.com:443/acs/resources/configurations
If we browse to the page, we are asked for a sign on-client already has that!
How does AADS work
Client sends the user info, device type to AADS. AADS confirms group settings, global options, and builds “46xxsettings.txt” file on the fly…
Dynamic Configuration of end users
Settings can be assigned at the following categories…EXCEPTIONS/ PLATFORM / USER / PHONE MODEL / GROUP
/ GLOBAL
Settings applied to the above categories are layered in order to build the final set of settings. Any setting that is set in multiple categories will get overwritten by the category with highest precedence
Platform settings apply to OS, Android, Windows or Macintosh
Group settings are applied to all users within the named LDAP group
Global settings apply to all users
Dynamic Configuration of end users
How does AADS pair an LDAP username with a configuration in System Manager?
• A matching field is used to pair an LDAP (Active Directory) user with a System Manager user.
• Good example is email address – [email protected]
After user enters their login / password,AADS queries the LDAP to validate login,fetches the matching field, builds a dynamicconfiguration, and pulls user profile infofrom System Manager
AADS Dynamic Configuration Example
AADS Dynamic Configuration Example
AADS Dynamic Configuration Example
Online help available for settings…
AADS uses customer LDAP
AADS leverages the customer LDAP server (Active Directory) to provide services.
- Single Sign On – what was shown previously. - LDAP Group membership to allow
configuration by role- Also acts as a proxy for directory lookups so
clients do not access directory services directly (problematic for firewalls & reduces CALs needed)
Some things to think about…
Devin want’s you to know…
• AADS - 1 DNS PTR record per email domain• Can be a problem for companies with many email domains, acquired companies,
single config URI, but can use same TXT & SRV over and over• Split horizon DNS required for internal / external resolution (ask us later)• DNS has to match certificate SAN information for HTTPS• Can point to a static config file even if no AADS or works with AADS• Configuration server can be a Utility Server or customer provided web
server if you don’t want to use AADS.• Can use HTTP with TXT value “proto=http” instead of HTTPS if you wish• Devices will ignore settings not relevant to them – i.e. IOS10CALLKIT
ignored in Windows / OUTLOOK_CALL_CONTACT ignored in iOS / Android• Keep it simple – put configs in by GROUP – avoid device type• One LDAP Security Group per extension length –
COMM_ADDR_HANDLE_LENGTH
Some things to think about…
Chris want’s you to know…
To successfully integrate these solutions, telecom teams need to partner with customer technology teams. Need to support
- LDAP integrations.- DNS integration and configuration – internal and external.- Network and firewall configurations.- Security requirements for certificate, SSO, HTTPS, and 2FA.
And some security issues…
• Two factor authentication (2FA) is becoming more important to many customers
• Security teams require 2FA authentication against LDAP / Active Directory servers.
• Exchange Web Services may require 2FA.
Good news is that the latest clients support 2FA, but the configuration is NOT simple. Good understanding of the technology and integration are required.
Devin says – FYI - 2FA Uses KeyCloak open source software on AADS
Conclusions
• Avaya offers different configuration applications.
• Support is still available for static file based configurations.
• Dynamic, authenticated, group based configuration is the future.
• Overhead to set up systems like AADS pays off when compared to the day to day maintenance / tickets / MAC.
• Understanding of services like HTTPS files services, DHCP for IP address configuration, LDAP, and DNS are important – partner with your IT organization.
What’s the best way for you to get help these configurations?
- Come ask us questions- www.convergeone.com- Thanks for attending!
Chris [email protected]
Find the best partner – here at the show!
Please fill out your session survey! Session 1110
Please tweet about the presentation if you liked it - @clauss
Devin [email protected]
Get this presentation – http://bit.ly/iaugpres