SIP Trunking with sipXecs: Overview and Configuration

From SIPfoundry sipXecs IP PBX, The Open Source SIP PBX for Linux - Calivia

Contents 1 Introduction 2 Interoperable Internet Telephony Service Providers (ITSPs) 3 Required Parameters for different ITSPs 4 Functional Description 5 How to configure sipXbridge 5.1 1. Specify a SIP Trunking role for a server in the cluster 5.2 2. Configure SipXbridge 5.3 3. Configure NAT Traversal 5.4 4. Configure a Dial Plan 5.5 5. Specify a Trunking Gateway with a Route pointing to SipXbridge 5.6 6 Configure an ITSP account that is managed by SipXbridge 5.7 7. Configure the Caller ID settings 5.8 8. Configure any required Dial Prefixes in your Dial plan 5.9 9. Send profiles for your server 5.10 10. check to see all your services are in good health 6 HA Configuration 7 Linux Firewall/NAT configuration tips

Introduction

Important note: sipXbridge is a new component of sipXecs that enables SIP trunking with Internet Service Providers (ITSPs) including NAT traversal. It will become available in the 4.0 release and it is currently available in 4.0 and main branch. If you want to make sure it works with your favorite ITSP, test it and share the results.

In a typical sipXecs deployment, sipXecs is connected to the enterprise LAN. The enterprise LAN typically has a firewall and Network Address Translator (NAT) that translates global addresses to private (non-routable) addresses. To be able to communicate between the PBX and the public network, we need an application level gateway or bridge. A new component was added to sipXecs called sipXbridge that provides this application level gateway functionality.

The sipXrbidge application is fully integrated into sipXecs and managed through sipXconfig. This makes it very simple for the admin to configure one or several accounts with Internet Telephony Service Providers (ITSPs) for the purpose of SIP trunking. The sipXbridge service can be installed on the same physical server as all the other sipXecs components, or it can be deployed on separate hardware. The choice is based on the need for scalability. In such a distributed setup several sipXbridge components can be added to sipXecs, each on its own physical server.

The sipXbridge service is implemented as a Back To Back User Agent (B2BUA) that enables NAT traversal and connectivity to an Internet Telephony Service Provider (ITSP). It anchors media and provides rewriting of the SIP / SDP headers so that packets can pass through the firewall / NAT and be routed from an ITSP to the sipXecs server via a NAT and vice versa.

Interoperable Internet Telephony Service Providers (ITSPs)

Following are the minimal requirements for interoperability :

• Must support RFC 3261
• Must support Re-INVITE for mid-call codec renegotiation.
• Must support Session Timer.
• Must support P-Asserted-Identity for call forwarding.

While SIP interoperability in general has made significant progress, it is still required to test interoperability with each and every ITSP to make sure all the required features for successful SIP trunking work. the following is the current list of ITSPs that we were able to test against. This list highly depends on the availability of suitable test accounts. Should your preferred provider be missing and you would like to get it added, please say so on the sipx-dev mailing list. If you can provide a test account together with your request, then that would increase the chances of getting it done considerably.

1. att.com
2. bandwidth.com
3. bt.com
4. voxitas.com
5. sipcall.ch: sipcall is an ITSP in Switzerland. DID numbers in Switzerland are free.
6. CallWithUs: CallWithUs is an international VoIP provider offering SIP and IAX service
7. Cbeyond: Cbeyond is focused on small business and provides dedicated T1 service. They are also the initial supporter of the SIPconnect standard for SIP trunking.
8. voipuser.org: voipuser.org is a free ITSP service that offers you a fee did and limited outbound dialing privileges.
9. bandtel.com
10. les.net: les.net is an ITSP in Canada. It can be configured to support North American 7-digit and 10-digit dialing.
11. eutelia.it
12. Vitelity.net
13. vitaltalk.com
14. Voip.ms
15. callcentric.com

The final user interface will provide a drop-down menu to select an ITSP. All necessary parameters will be auto-populated. In the mean time we will provide a table that indicates necessary settings to accomplish interoperability.

Here is a list of different international ITSPs.

Required Parameters for different ITSPs

Provider (ITSP)	Domain	Outbound Proxy	Global addr	Registrar	Reg On Init	Default caller Id	SIP keepalive	RTP keepalive
bandwidth.com	ot.bandwidth.com	n/a	true	n/a	false	true	CR-LF	NONE
att.com	Specified by AT&T	n/a	true	n/a	false	true	CR-LF	NONE
bt.com	sip.ser-001.nat.bt.com	81.144.230.5	false	default	true	true	CR-LF	replay last sent packet
cbeyond.net	sipconnect-fca.atl0.cbeyond.net	sip-proxy-fca.atl0.cbeyond.net	true	default	true	true	CR-LF	NONE
voxitas.com	wdc01a.netlogic.net	wdc01a.netlogic.net	false	default	true	true	CR-LF	NONE
sipcall.ch	voipgateway.org	voipgateway.org	true	default	true	true	CR-LF	replay last sent packet
callwithus.com	sip.callwithus.com	n/a	true	default	true	true	CR-LF	empty packet
voipuser.org	sip.voipuser.org	n/a	false	default	true	true	CR-LF	empty packet
bandtel.com	bandtel.com	proxy1.bandtel.com	true	registrar.bandtel.com	true	true	CR-LF	empty packet
les.net	did.voip.les.net	n/a	false	default	true	true	CR-LF	empty packet
eutelia.it	voip.eutelia.it	n/a	true	default	true	true	CR-LF	empty packet
vitelity.net	vitelity.net	outbound.vitelity.net	true	inbound8.vitelity.net	true	true	CR-LF	empty packet
vitaltalk.com	vitaltalk.com	chicago-1a.vtnoc.net	true	default	true	true	CR-LF	replay last sent packet
voip.ms	voip.ms	n/a	true	default	true	true	CR-LF	NONE
callcentric.com	callcentric.com	204.11.192.31	false	204.11.192.31	true	true	CR-LF	NONE

In addition to the settings in the table above, you will also need to configure your Caller-ID setting for the account as described below.

The SIP trunking capabilities of sipXecs (or sipXbridge) should extend far beyond the list of ITSP included in the table above. There are simply too many ITSPs so that we cannot test with them all. You can help extend the list. We are in the process of defining test procedures for ITSP interoperability testing and certification. [See [1]]

User comments

Functional Description

The sipXbridge service is designed to be as flexible as possible when it comes to accommodating differences between ITSPs. It turns out that ITSPs still have significant variability in how things work and also adherence to the SIP standard varies. The capabilities offered by sipXbridge are designed to maximize flexibility. The following lists some of the currently available features:

• ITSP Registrations: Registers with ITSPs and keeps Registrations fresh.
• Message size reduction and topology hiding: sipxBridge reduces message size by stripping any state that is not relevant to the ITSP (but may be relevant to sipXecs). These include route headers and other headers that are specific to sipXecs.
• Near end NAT traversal requirements: Can operate behind a NAT. However, sipXbridge requires that there is no NAT between itself and the sipXecs proxy. Supports both dynamic and static NATs. sipXbridge re-writes SIP/SDP headers in the call setup signaling as needed by the ITSP. Keeps NAT bindings alive using periodic outbound signaling if needed (for example use empty packets for RTP keepalive and CR-LF sequences for SIP keepalive). Does not, in general, assume that the ITSP provides hosted NAT compensation.
• Is configurable with sipXconfig: All aspects of SIP trunking are plug & play configurable
• Has good media performance: sipXbridge anchors media and is implemented as an efficient media relay service. A single sipXrelay instance can comfortably handle 250 concurrent calls within acceptable limits of jitter and delay without becoming a bottleneck.
• Is media (codec) agnostic.
• Supports concurrent multi-ITSP configurations: A single sipXbridge instance can support multiple ITSP accounts with multiple DIDs per ITSP and can concurrently process the call setup signaling and media needed by these accounts.
• Handles NAT/ITSP reboots: If the NAT reboots and comes back to life, sipXbridge will re-REGISTER with the ITSP. It relies upon session inactivity timers to clean up media resources that are allocated for the call in case of session inactivity and it uses periodic STUN global address re-discovery if configured to do so.
• Works with commonly used phones and ITSPs: Exports all the necessary configuration options to allow such deployments and assumes no NAT traversal capabilities in the phone.
• Supports call transfers locally: Call transfers are supported without sending the REFER to the ITSP. Therefore, it can handle both blind and consultative transfers and it is possible to transfer in or outbound calls via an ITSP back out to the ITSP (hair-pinned transfers).
• Can be configured to play music on hold during the transfer.
• Provides logging support: sipXbridge provides logging of messages and signaling in the syslog format expected by the sipXecs trace viewing (sipXviewer) tool.
• Interoperates with the other sipXecs services (for example the conferencing service).
• Integrated with sipx alarms: Provides administrator notification using the alarm facility of sipx.

How to configure sipXbridge

Configuring SIP Trunking service using sipXbridge is fully supported by the sipXecs Web user interface. It involves the following steps:

1. Specify a SIP Trunking role for a server in the cluster
2. Configure a SipXbridge instance
3. Configure and the NAT traversal Settings (sipxrelay)
4. Specify a dial plan
5. Specify a trunking Gateway for the dial plan with a route pointing to the SipXbridge instance configured in a previous step.
6. Configure the ITSP account settings
7. Configure the caller ID settings.
8. Configure any required prefixes in the Dial Plan
9. Send profiles
10. Restart any services as necessary

1. Specify a SIP Trunking role for a server in the cluster

Follow the System > Servers link.

Select a server in the cluster where you want to run SipXbridge by picking the Sip Trunking role for that server. This will allow you to define a sipxbridge instance that runs on that server.

2. Configure SipXbridge

Navigate to Devices>SBC. To get to this screen :

Select the SipxBridge instance defined in the previous step and configure it. Note the inbound call settings ( defaults to operator ). This is a convenience field. You can set this to a hunt group extension, conference extension or other extension that is not an alias for a real user. You can also leave this field blank and use your DID as a user alias to direct your call to a specific user alias. You would want to do that, for example, if you have multiple DIDs and you want each DID to be assigned to a different user.

The public port in this page is the port that is exposed to the public network through your firewall setting. If your firewall restricts inbound traffic, you must open this port on your firewall to allow inbound signaling from the ITSP. The external port in the screen above is the port that is a port on the machine that sipxbridge runs on. It "faces" the firewall. It is associated with the public port on the firewall. Hence the firewall must be configured to send packets from the the public port to the external port. If you leave the public port blank, the external port is assumed to be the same as the public port (i.e. the mapping is assumed to be symmetric). If your firewall filtering rules allow inbound traffic from those destinations to which outbound traffic has previously been sent and if your ITSP provides "hosted NAT compensation", you do not need to reconfigure any firewall rules.

SipXbridge runs on port 5080 (not 5060). You can change port on which it recieves signaling. However, if you change the sipxbridge port, be careful of causing port conflicts with other sipx components that are co-located on the same platform that bind to the same IP address. The port where sipxbridge expects to recieve signaling has nothing to do with where the ITSP expects to receive its signaling. The ITSP can continue to receive its signaling at port 5060. If your ITSP does IP address provisioning (i.e. ITSP registers your public address and signals that public address), they will probably default to signal sipXbridge on port 5060. If you do a straight through mapping on your firewall (i.e. external port maps to identical internal port) and open up port 5060, the signaling from the ITSP would bypass SipXbridge and go directly to the SIPX Proxy server and hence SipXbridge would not work. Please contact your ITSP and provision their system to signal port 5080 on your public address and open up port 5080 on your firewall (recommended) or use appropriate firewall rules to map external port 5060 to port 5080. If you chose to do the latter (not recommended - especially if you are also configuring remote workers), you would need to specify what port on the firewall you have mapped in the screen above. This note does not apply to ITSPs that function by Registration.

Typically ITSPs do not handle certain types of SIP requests such as REFER which is used in Call Transfer operations. To implement call transfer, SipXbridge does signaling translation, converting a REFER request to an INVITE request to the call transfer target. Consequently, a ringing tone will not be heard at the calling phone during call transfers when the call is routed through SipXbridge. Enable Music On Hold on this page if you would like to hear music for blind transfers. If you do not do this, you will hear silence during the time a call is being transferred blind. You are recommended to turn MOH off for your phone when MOH is turned ON on sipXbridge as certain race conditions may occur.

3. Configure NAT Traversal

Navigate to System > Servers > Services > NAT. This will take you to a page where you can configure your NAT traversal service settings. You can select to use STUN or enter your public address here. A relay service (known as SipXrelay) manages a range of ports which defaults to the range 30000 to 31000. This setting must be a contiguous range of free ports.

If your server is running behind a NAT you must also explicitly declare that. Go over to System > Internet Calling and select the NAT Traversal Link. Check the Server Behind NAT box. If you plan to configure remote workers you should also enable NAT traversal on this page.

4. Configure a Dial Plan

Navigate to System > Dial Plans.

Using the pull down menu from the screen above, define a new Dial plan.

In the Gateways section drop down list, select the action to add a new SIP Trunk Gateway. Configure it as described in item 5. After you are done adding the Gateway, you must select the "Enabled" check box in the screen above. Click on Accept and OK to back out of this screen.

5. Specify a Trunking Gateway with a Route pointing to SipXbridge

Specify the address of the ITSP in the following screen. You should see the previously defined SBC (i.e. sipxbridge) appear in the drop down list for the Route.

Note the caller Id, ITSP account and Dial plan links in the screen above. You have to fill in the requisite information by clicking on these links.

6 Configure an ITSP account that is managed by SipXbridge

Most ITSPs only need for you to specify a proxy domain, user name and password. User Name is mandatory for accounts that require Registration with the ITSP.

Many ITSPs allow web access to set up your account. The password on this screen is your SIP password and not your web account password.

Some ITSPs may require advanced settings. To enter these settings, you can navigate to the ITSP Account settings from the gateway screen. For example, the Asserted-Identity field may be specialized. Click on the Advanced link to change these settings.

Whether the ITSP requires Registration or not, The Asserted Identity is a required header for most ITSPs that allow anonymous calling. It is used to compute the identity of the caller for anonymous calling. The asserted identity field is also typically used for call forwarding to the ITSP. If the ITSP does not recognize this field and uses the From header for account identification, these features may not work. if you select to "use default asserted identity", you must specify a user name so that the default Asserted Identity may be computed. If you elect to override the default Asserted Identity you must specify a valid entry (i.e. username@domain ) in the Asserted identity field. If you elect to specify an Asserted Identity, and if the asserted identity field is left blank or if you select the default and the user name is left blank, then none will be inserted into the call setup request bound for the ITSP.

Here is what the form will look like (with the advanced section shown):

Note that the proxy domain of the ITSP account must match, or be a suffix of the Address that you enter in the Gateway page. Otherwise sipxbridge will not find the ITSP account and will return NOT found. If your ITSP needs advanced settings, you can click on the "Advanced" link to include the necessary information. For ITSPs with hosted NAT Traversal capabilities, you usually need to set up to use private addressing and turn on RTP keep alive in order for call forwarding to the ITSP to work.

7. Configure the Caller ID settings

From the Gateway page click on the Caller ID link. Select the advanced checkbox. Enter the caller-Id for the account. The caller Id is what appears in the From: header of the outbound request for non-anonymous calls. Usually, accounts that are provisioned by public address have the caller Id set to user-name@public-address. Accounts that are provisioned by SIP Registration, usually have user-name@itsp-domain. Variations are possible. Please check with your ITSP. On this screen, the domain does not necessarily have to be a DNS Domain name. Some ITSPs may require that you have to use an IP address here. Note that the settings on this screen affect all calls that are routed via the given trunking gateway to the ITSP.

If you want to specify a per-user caller ID ( for example the DID that is assigned to the user to appear as that user's caller-ID ) here is how to proceed :

1. Do not specify a caller-id in the trunking gateway configuration screen below(leave all fields blank).
2. Specify a per-user caller ID when configuring the user.

8. Configure any required Dial Prefixes in your Dial plan

From the Gateway configuration page navigate to the Dial Plan page. Set up any dial prefixes (for example +1. This is usually country dependent. )

9. Send profiles for your server

This step writes out the configuration files to the file system on which sipxbridge runs.

10. check to see all your services are in good health

Click on the server link on the page above and restart any services necessary. Correct any errors. Check your alarm mail to see that there are no configuration alarms.

HA Configuration

For HA Configuration each node of the HA system must have media relay ports that do not overlap with the other server. Otherwise media relaying will not work correctly If you have enabled SIP trunking on more than one server, ITSP account configurations should not interfere with each other.

Linux Firewall/NAT configuration tips

If you are using Linux firewall / NAT, the following IP Tables settings may be handy. Note that many good references for IP Tables are available and these should be consulted for authoritative advice.

Some ITSPs work without any special NAT configuration needed. They work by ignoring the SIP/SDP port information -- relying instead on the remote address and port of the incoming datagram (SIP/RTP) packet. Such ITSPs require no special NAT configuration (other than the normal IP Tables forwarding rules for symmetric NAT) and will expect you to use local addresses in all your call setup signaling.

Other ITSPs are more particular. They will expect you to provide a valid port in your call setup signaling and only send RTP packets to the specified ports. To cover such cases, you need to configure your NAT/Firewall, appropriately. You need to set up port forwarding in the port range that sipxbridge uses.

Here are my linux firewall rules for this:

iptables -t nat -A PREROUTING -p udp --dport 25000:25500 -j DNAT --to-destination 192.168.5.240
iptables -A FORWARD -i $EXTIF -o $INTIF0 -d 192.168.5.240 -p udp --dport 15000:15500 -j ACCEPT

Some ITSPs (notably bandwidth.com ) do not accept REGISTER. You will have to provide them with a static IP address and configure your firewall to forward packets to sipxbridge as above. Such service providers will send signaling to port 5060. For such providers, the following set of rules may come in handy.

iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 5060 -j DNAT --to-destination 192.168.5.240:5080
iptables -A FORWARD -i $EXTIF -o $INTIF0 -d 192.168.5.240 -p udp --dport 5080 -j ACCEPT
iptables -t nat -A POSTROUING -s 192.168.5.240 -o $EXTIF -j MASQUERADE
iptables -A FORWARD -p udp --sport 5060 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth3 -m state --state ESTABLISHED,RELATED -j ACCEPT

Here, my sipxbridge runs on 192.168.5.240 and accepts inbound signaling on port 5080 whereas, the ITSP can send to my public address at port 5060. It sends media in the port range 25000 to 25500 which is forwarded symmetrically to my sipxbridge installation running at IP address 192.168.5.240.

EXTIF is my WAN-facing interface of the NAT ( eth3 ). INTIF0 is my LAN-facing interface of the NAT ( eth0 ).

The figure below shows a simple call setup via sipxbridge. The sipx proxy and other details have been omitted for clarity. For more details on how sipxbridge works, check out the source code and look at the design document in the sipXbridge/doc/design.tar.gz file.