Avaya Aura Deployment Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Gateway
  5. Aura
  6. Deployment manual
Avaya Aura Deployment Manual

Avaya Aura Deployment Manual

Web gateway
Hide thumbs Also See for Aura:
Table of Contents

Advertisement

Quick Links

See also: User Manual
®
Deploying the Avaya Aura
Web Gateway
Release 3.5
Issue 1
October 2018

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Aura and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Avaya Aura

Summary of Contents for Avaya Aura

  • Page 1 ® Deploying the Avaya Aura Web Gateway Release 3.5 Issue 1 October 2018...
  • Page 2 Software at any given time. A “Unit” means the unit on which THE LINK “Avaya Terms of Use for Hosted Services” OR SUCH Avaya, at its sole discretion, bases the pricing of its licenses and can SUCCESSOR SITE AS DESIGNATED BY AVAYA, AND ARE...
  • Page 3 IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION written consent of Avaya can be a criminal, as well as a civil offense FOR H.264 (AVC) AND H.265 (HEVC) CODECS MAY BE under the applicable law.
  • Page 4 See the Avaya Support website: https://support.avaya.com product or Hosted Service notices and articles, or to report a problem with your Avaya product or Hosted Service. For a list of support telephone numbers and contact addresses, go to the Avaya Support website: https://support.avaya.com...

  • Page 5: Table Of Contents

    ....................34 sys smcvemgt command ....................37 Resource profile specifications ® ......37 Resource profile specifications for Avaya Aura Web Gateway on VMware ® ... 38 Resources profile specifications for Avaya Aura Web Gateway on Amazon Web Services .................... 39 Virtual disk volume specifications ..................
  • Page 6 Virtual IP configuration options ....................93 Advanced configuration ................... 94 Starting services using a command line ® Configuring OAMP to use Linux account credentials on the Avaya Aura Web Gateway ......................95 administration portal Chapter 7: Global FQDN configuration................. 96 ......................... 96 DNS configuration .....................
  • Page 7 Checklist for creation of a TLS server profile for a management interface ................ 121 Configuring Avaya SBCE load monitoring ® .. 122 Adding Avaya Session Border Controller for Enterprise to the Avaya Aura Web Gateway ® Adding Avaya Session Border Controller for Enterprise to Avaya Equinox Conferencing .........................
  • Page 8 ® ........ 150 Applying third-party signed certificates to the Avaya Aura Web Gateway ® ......... 151 Adding third-party root CA certificates to the Avaya Aura Web Gateway ..........151 Creating a Certificate Signing Request (CSR) using OpenSSL ® ..152...

  • Page 9: Chapter 1: Introduction

    This document does not describe SDK developer applications. ® ® After you deploy Avaya Aura Web Gateway, see Administering the Avaya Aura Web Gateway for administration and maintenance information. Change history This section describes the major changes made in this document:...
  • Page 10 • Added additional information in the sections under Avaya Session Border Controller for Enterprise configuration on page 108. • Updated Documentation on page 143. • Minor rephrasing throughout the document. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 11: Chapter 2: Avaya Aura Web Gateway Overview

    ® process. For more information, see Deploying Avaya Equinox Solution. New in this release ® The following is a summary of new functionality that has been added to the Avaya Aura Gateway in Release 3.5: ™ Avaya Breeze authorization ™...

  • Page 12: Solution Architecture

    ® Avaya Aura Web Gateway overview Solution architecture ® This section provides a graphical representation of the Avaya Aura Web Gateway deployment architecture. Avaya Equinox Avaya Equinox Vantage Avaya Equinox Avaya Equinox Avaya Equinox Avaya Equinox Client Mac OS Windows...
  • Page 13 Topology diagram ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 14: Geographical Distribution Overview

    20. General geographical distribution topology ® In this topology example, there are two data centers with one Avaya Aura Web Gateway in each data center. For simplicity, System Manager is deployed in Data Center 1 (DC1), while Session ®...

  • Page 15: Signaling And Media Path Topology When Clients Are Located In Or Near Different Data Centers

    Signaling and media path topology when clients are located in or near different data centers ® In the following topology example, there are two data centers with one Avaya Aura Web Gateway in each data center. Clients are located in different data centers outside of the firewall and ®...
  • Page 16 4. Session Manager deployed on DC1 forwards the call to Session Manager deployed on DC2. ® 5. Session Manager deployed on DC2 forwards the SIP invite to the Avaya Aura Gateway from DC2, where the second client is logged in. ®...

  • Page 17: Signalling And Media Path Topology When Both Clients Are Located In Or Near The Same Data Center

    ® In the following topology example, there are two data centers with one Avaya Aura Web Gateway in each data center. Two clients are located in or near the same data center (DC1): •...

  • Page 18: Interoperability

    Device Services Interoperability Product compatibility ® Avaya Aura Web Gateway interacts with the following components. For information about interoperability and supported product versions, see https://secureservices.avaya.com/compatibility-matrix/menus/ product.xhtml. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 19: Web Browser Requirements

    • Session Manager: Enables applications to perform registration and telephony functions, such as call escalation. Avaya Multimedia Messaging A server that provides messaging services. ® Conferencing This describes the deployment for Avaya Aura Web Gateway, but not Conferencing itself. ® The Avaya Equinox Conferencing solution provides conferencing and collaboration functionality.

  • Page 20: Chapter 3: Deployment Process

    Chapter 3: Deployment process ® The following table shows the high-level tasks for deploying the Avaya Aura Web Gateway High-level tasks Notes Perform planning and site preparation tasks. Planning checklist on page 23. As part of the site preparation, you must set up the required infrastructure components in your network.
  • Page 21 Certificate configuration using the configuration utility on page 148. Configure System Manager. See Adding the Avaya Aura Web Gateway to System Manager on page 99. ® Configure Avaya Aura Media Server. See Configuring Avaya Aura Media Server settings page 103.
  • Page 22 See External client access configuration page 119. Configure an external — — load balancer. See Route configuration for an external load balancer on page 106. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 23: Chapter 4: Planning And Preinstallation

    Chapter 4: Planning and preinstallation ® Review this chapter before you start installing the Avaya Aura Web Gateway. You can either deploy ® the Avaya Aura Web Gateway using Amazon Web Services (AWS) or VMware. Warning: ® When you deploy Avaya Aura Web Gateway, avoid copying and pasting commands directly from this document.
  • Page 24 Planning and preinstallation Task Notes Tip: Configure your SSH tool to properly ® see lines in the Avaya Aura Gateway configuration utility. For example, in the PuTTY Reconfiguration screen, navigate to Window > Translation and do the following: - Set Remote character set to Use font encoding.

  • Page 25: Required Skills And Knowledge

    - For AWS deployments, you must be familiar with Amazon Machine Images (AMIs) and with the AWS Management console. For a list of supported browsers in AWS, see https:// aws.amazon.com/console/faqs/#browser_support. ® • Install, deploy, and use key Avaya Aura components. • Use basic Linux commands. Related links Product compatibility...
  • Page 26 Avaya Equinox Conferencing Management system. In a multiple FQDN deployment, the FQDN resolves externally to the IP address of the external Avaya SBCE interface. FQDN for each Web Collaboration Services server In a single FQDN deployment, the certificate for IP address.

  • Page 27: Linux Alias Commands

    Linux aliases are defined to make frequently used commands easier to use. When an alias is available for the required operation, you can use the alias instead of typing a long path name and using sudo. The path name specification and sudo invocation are built into the aliases that Avaya provides.
  • Page 28 The aliases must be used only from the command line in a Linux shell. Do not use them in a script. You must use the actual target command in a script. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 29: System Layer Commands

    Manages the enablement status of Linux kernel patches for the Spectre and Meltdown vulnerabilities. [admin@server-dev ~]$ Any arguments provided after the name of the system layer command are passed through to that command. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 30: Sys Secconfig Command

    The sys volmgt command is used to query and extend disk volumes on the system. The following provides the command line syntax for this command: [admin@server4889csa ~]$ sys volmgt --help Syntax: --help, --hhelp, --version, --status, --summary, --monitor [tail|less], -m [tail|less] --logs, ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 31 (VMware). The following example illustrates how to add 20 GiB of storage to the application log volume (/var/log/Avaya). This volume is located on the second disk of the system and so this example assumes that disk 2 has been increased in size by 20 GiB.
  • Page 32 --status - Logical volumes on the system are referenced using their Linux file system mount points, such as /var/log/Avaya and /media/data, with the exception of the volume containing Linux swap, which has no mount point. The Linux swap volume is referenced using "swap".
  • Page 33 "g" for gibibytes", and "t" for tebibytes". The smallest increment that can be specified is 100 MiB. Example invocations: sys volmgt --extend /var/log/Avaya 10g sys volmgt --extend /var/log/Avaya 10.5g sys volmgt --extend /var/log/Avaya 0.5g sys volmgt --extend /var/log/Avaya .5g...

  • Page 34: Sys Smcvemgt Command

    The script does not manage the state of application services. To ensure that the application services are stopped before the reboot, run the svc csa stop command before ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 35 For more information on Spectre/Meltdown kernel tunables, refer to: https://access.redhat.com/articles/3311301 For additional information on the Spectre/Meltdown vulnerabilities, refer https://access.redhat.com/security/vulnerabilities/speculativeexecution Syntax: --help, Provide terse help. --hhelp, Provide verbose help (this text). ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 36 The following two commands are equivalent: sys smcvemgt enabled sys smcvemgt v2=default v3=enabled The following two commands are equivalent: sys smcvemgt disabled sys smcvemgt v2=disabled v3=disabled --history ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 37: Resource Profile Specifications

    The following command disables patches for Variant #3/Meltdown. Variant #2/Spectre retains its current settings. sys smcvemgt --set v3=disabled Resource profile specifications ® Resource profile specifications for Avaya Aura Web Gateway on VMware The following section outlines the resource profile specifications for differently sized virtual machines.

  • Page 38: Resources Profile Specifications For Avaya Aura ® Web Gateway On Amazon Web Services

    ® Resources profile specifications for Avaya Aura Web Gateway on Amazon Web Services The following table outlines the profiles created by the CloudFormation template generators. You can use the CloudFormation template generation tool to create a template for the required profile.

  • Page 39: Virtual Disk Volume Specifications

    Use a direct connection along with a private WAN connection with Service Level Agreement (SLA) measures to ensure that the network quality is appropriate for signaling and voice traffic. Avaya is not responsible for network connections between AWS and the customer premises. ® When you deploy Avaya Aura Web Gateway in an AWS environment, you must also deploy a local LDAP server in AWS.

  • Page 40: External Load Balancer Requirements

    10.0 Total disk size 132.0 External load balancer requirements ® In a geographically distributed deployment, the Avaya Aura Web Gateway requires an external load balancer that must comply with the following requirements: Requirement Description The HTTP Global Server Load Balancing...
  • Page 41 This requirement is only needed for authenticating clients relay the client certificates. using a client certificate. The HTTP load balancer must be able to insert custom headers to HTTP requests. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 42: Chapter 5: Initial Setup For Vmware And Aws Deployments

    Chapter 5: Initial setup for VMware and AWS deployments ® You can deploy Avaya Aura Web Gateway in a VMware or AWS environment. Use the following sections to perform the initial VMware or AWS setup. Deployment process checklist This checklist describes the high-level deployment process for virtual machine deployments on VMware and AWS.

  • Page 43: Vmware Deployments

    System (Avaya PLDS) at https://plds.avaya.com. • Place an order for the DVDs containing the OVA file using the Material Code ID or description. For more information about the material ID, see “Product Order Codes and Pricing” in Avaya ® Aura Web Gateway Offer Definition.
  • Page 44 The default user name is admin, group is admingrp, and password is avaya123. 12. From the Ready to Complete tab, verify your settings and then click Next to complete the installation. Next steps ® Install the Avaya Aura Web Gateway. ® Deploying the Avaya Aura Web Gateway OVA using vSphere Procedure 1.
  • Page 45 Deployment Manager from System Manager About this task ® Use this procedure to create a virtual machine on the ESXi host and deploy the Avaya Aura Gateway OVA on the virtual machine. Before you begin • Ensure that you are familiar with the “Deployment checklist” section in Deploying Avaya ®...
  • Page 46 Current Action Status column. The system displays the virtual machine on the VMs for Selected Location <location name> page. 13. (Optional) To view details, click Status Details. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 47: Amazon Web Services Deployments

    LDAP server in AWS. This LDAP server is a replica server that synchronizes content from a master LDAP server within the enterprise. To reduce latency for authentication and directory ® lookup operations, this LDAP server must be collocated with Avaya Aura Web Gateway in the same AWS region.

  • Page 48: Creating A Key Pair

    When you create a key pair, save it. If you lose the key, you cannot retrieve it and you will not be able to access the instance. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 49: Ova To Ami Conversion

    Amazon S3 Documentation. 6. Click Create. Next steps ® Upload the Avaya Aura Web Gateway OVA. Creating a service role About this task Use this procedure to create a role named vmimport for importing files into the S3 bucket. Use the AWS CLI to run the commands in this procedure.
  • Page 50 3. From the All Buckets area, select a bucket. 4. Click Upload. ® 5. In the dialog box that is displayed, click Add Files and upload the Avaya Aura Gateway OVA with the -aws-001-ova suffix. Importing the OVA for AMI conversion About this task You can use files in the JSON format that are included in the AWS configuration files artifact.
  • Page 51 IMPORTIMAGETASKS x86_64 CM-Simplex-07.1.0.0.xxx-aws-001.ova import-ami-ffgji45r BYOL Linux 76 active preparing ami The output format varies depending on the selection of the text or JSON format on the AWS CLI configuration. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 52: Creating Cloudformation Templates

    3. In Number of nodes, set the number of servers required for the cluster. 4. In Number of subnets, set the number of subnets required for the cluster. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 53: Deploying A Single-Node Cloudformation Stack

    CloudFormation is an AWS service used to create a stack. A stack is a graph of objects such as EC2 instances and EBS volumes inside the Amazon cloud. CloudFormation is ® used to create the objects required for a single-node Avaya Aura Web Gateway system within a subnet of an existing virtual network.
  • Page 54 To complete the first-login configuration, log in using admin@Instance.hostname or admin@instance_IP as the login credentials are not provided. Accept the license agreement and set the password. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 55: Aws Cluster Deployments

    Confirm Password: Retype your password. e. CN, Common name: Type <FQDN of the load balancer>. f. Token: Select the PEM file. Note: The remaining fields are optional. For more information, see Administering Avaya ® Aura System Manager. 3. Click Add.
  • Page 56 17. Copy and save the ARN value in the Details section. The ARN is required for the Load balancer certificate ARN field during the multi-node CloudFormation deployment. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 57 You can obtain the AMI ID of an image from the EC2 AMI page. On a separate browser tab, navigate to Services > EC2 > Images > AMIs. 9. In Network area, select the required Virtual Private Cloud. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 58 22. Click the Physical ID of the EC2 instance for the node, for example, i-0fccb4a222a32dcc9. The system displays the Instances page using a filter that displays the newly created AMI. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 59: Creating A Hybrid Cloud For Client Access

    • Assign an IP address range to the VPC that does not overlap with any subnet in your network. Procedure 1. Sign in to the AWS console. 2. Navigate to Services > Management Tools > CloudFormation and select the required stack. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 60: Configuring On-Premise Dns Resolution Of Vpc Addresses

    • Routes on your AWS VPC VPN gateway that direct UDP port 53 traffic from the enterprise toward the VPC. • The IP address of the DNS server in the AWS VPC. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 61: Logging In To The Ec2 Instance

    Log in to the EC2 instance using the SSH console or PuTTY. For information about how to use PuTTY, see https://docs.aws.amazon.com/AWSEC2/latest/ UserGuide/putty.html?icmpid=docs_ec2_console. Note: You must use the key that you specified during stack creation. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 62: Completing The First-Login Configuration

    • n to make changes to your selections. Next steps ® Install the Avaya Aura Web Gateway application software using the app install command as described in Installing the Avaya Aura Web Gateway on page 64. ® October 2018 Deploying the Avaya Aura Web Gateway...

  • Page 63: Uninstalling The Avaya Aura ® Web Gateway

    Before you begin Open the Linux shell using the Linux administrator account credentials. Procedure ® 1. To remove the Avaya Aura Web Gateway from the system, run the following command: app uninstall 2. When prompted, type the following: a. uninstall and press Enter.

  • Page 64: Chapter 6: Avaya Aura ® Web Gateway Setup

    When you run the app install command without specifying a build, then the system automatically picks up the current build in opt/Avaya. If you do specify a build by running app install csa-<version>.bin, then the system looks for that build first in your current working directory and then in opt/Avaya.
  • Page 65 For a cluster deployment that uses an external load balancer, you must configure Front-end IP or FQDN as the FQDN corresponding to the external load balancer. ® b. Select System Manager FQDN and enter the FQDN of the Avaya Aura System ®...
  • Page 66 IP backup node. d. To save the changes on the system, select Apply and then select Continue. e. Select Return to Main Menu and press Enter. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 67: Performing A Silent Installation

    Performing a silent installation About this task ® Use this procedure to perform a silent installation of the Avaya Aura Web Gateway server. The silent installation consists of configuring most of the settings in a properties file, instead of using the installation and the configuration menu for every item.

  • Page 68: Seed Node Replacement Configuration

    Seed node replacement configuration ® If a seed node is unavailable, you might experience service loss on an Avaya Aura Web Gateway cluster. You will also be unavailable to install a new node on the cluster. To prevent this issue from occurring, you can specify a list of backup nodes for the seed node while performing silent installation.
  • Page 69 ® After installing an initial node, use this procedure to create a cluster of Avaya Aura Web Gateway nodes. You can also use this procedure to add nodes to an existing cluster at a later time.
  • Page 70 (Optional) Select System Manager web admin username (o) and System Manager web admin password and provide the credentials. ® c. Select System Manager HTTPS Port and type the port for contacting Avaya Aura System Manager. The default port is 443.

  • Page 71: Seed Node Replacement Configuration

    • After all of the required cluster nodes are installed or if new nodes are added to an existing cluster, you must configure the RSA public and private keys on the initial node. Related links Seed node replacement configuration on page 68 ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 72: Configuring Rsa Public And Private Keys For Ssh Connections In A Cluster

    1. Log in to the Linux shell on the initial node by using the Linux administrator account credentials. ® 2. Run the Avaya Aura Web Gateway configuration utility using the app configure command. 3. Navigate to Clustering Configuration > Cluster Utilities > Configure SSH RSA Public/ Private Keys.

  • Page 73: Avaya Aura ® Web Gateway Initial Configuration Settings

    They also list the equivalent installation.properties file parameters for each setting for silent installations. If you do not configure a setting during installation, you can configure it later. ® You can update many of these settings anytime using the Avaya Aura Web Gateway ®...
  • Page 74 System Manager and navigate to Service > Security > Certificates > Enrollment Password. ® Override port for Specifies the port on the Avaya Aura OVERRIDE_FRONTEND_PORT remote access Web Gateway server. This port is used For the Front-end port for reverse...
  • Page 75 Front-end port for reverse proxy. If you override the port for remote access, you must configure this port on the Avaya SBCE external interface for ® Avaya Aura Web Gateway. For more information, see Administering Avaya Session Border Controller for Enterprise.
  • Page 76 • other supported characters: exclamation point (!), at symbol (@), hash (#), percent sign (%), caret (^), star (*), question mark (?), underscore (_), dot (.) ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 77: Ldap Configuration

    Web Gateway system. In addition, do not change the server URL unless you need to switch the configuration to another replicated instance of the current ® LDAP directory. In all the other cases, you must reinstall the Avaya Aura Web Gateway system.
  • Page 78 • Microsoft Active Directory Lightweight Directory Services (AD-LDS) • IBM Domino Server 7.0 Note: The Domino server must be patched to support TLS, so Avaya ® Aura Web Gateway can connect to the Domino server through secure LDAP (LDAPS). For a list of supported patch fixes, see https://www-10.lotus.com/ldd/...
  • Page 79 Bind DN, the format of its value is not limited to the DN format. The format can be any format that the LDAP server can support for LDAP bind. Table continues… ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 80 For example: for Active Directory, you can use "domain\user", "user@domain", as well as the actual DN of the user object. ® Bind Credential The password that the Avaya Aura bindCredential Gateway server requires for the LDAP Important: bind operation. This is a mandatory setting.
  • Page 81 Web Gateway Auditor role. For example: If the Auditor role is configured as CSAAuditor,CSAxyz, any user whose list of roles contains the CSAAuditor or CSAxyz role is mapped to the Avaya ® Aura Web Gateway AUDITOR role. Note: The values of the roles are case- sensitive when they are mapped to the application roles.
  • Page 82 So they must match exactly to the roles name found for a user for the mapping of ® the LDAP roles to the Avaya Aura Web Gateway application roles to succeed. Services The list of LDAP roles that match the...
  • Page 83 So they must match exactly to the roles name found for a user for the mapping of ® the LDAP roles to the Avaya Aura Web Gateway application roles to succeed. Advanced LDAP The menu that contains advanced LDAP...
  • Page 84 • If RoleAttributeIsDN is false, this parameter is ignored. For example: cn Table continues… ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 85 • Level 2, also named SUBTREE_SCOPE, indicates that the search is performed at the named role context and in Table continues… ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 86 1.2.840.113556.1.4.803:=2 ))). Last updated time attribute The attribute indicating the last lastUpdatedTimeAttr time an LDAP object was modified, in the ASN.1 Generalized Time Notation. Table continues… ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 87 When multiple directories are enabled for authentication, you must provide your FQDN to log in. For example: username@avaya.com. A short user name is not supported. If you do not have proper data in user name attributes, such as mail and userPrincipalName, you can assign a custom attribute that is used for the UID mapping of user names.
  • Page 88 Web Gateway installation procedure, you can configure only one LDAP server. If you want to add more LDAP servers, use the web administration portal. For more ® information, see “Adding a new enterprise LDAP server” in Administering the Avaya Aura Gateway. Configuring the role search parameters...
  • Page 89 Avaya user in the ® Aura “AAWGDelegates” Gateway so this is Table continues… ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 90: Cluster Configuration

    This role is for updating web certificates from the web AAWGSecurityAdmin Administrator Role administration portal. Cluster configuration ® Using the Cluster configuration, you can configure the Avaya Aura Web Gateway nodes in a clustered environment. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 91: Virtual Ip Configuration Options

    IP address. If you select y (yes), new configuration settings for the virtual IP address are displayed in the configuration menu. Table continues… ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 92 This password must be password the same as the virtual IP authentication password configured for the initial node. Related links Avaya Aura Web Gateway initial configuration settings on page 73 ® October 2018 Deploying the Avaya Aura Web Gateway...

  • Page 93: Advanced Configuration

    The menu that contains the AVAYA_REQUEST_TIMEOUT Timeout Recommended Long Poll Timeout configuration option. Use this option for setting the value to use in the Avaya- Request-Timeout HTTP header for long- poll requests. Important: The long poll timeout value can be from 30 to 120.

  • Page 94: Starting Services Using A Command Line

    Procedure 1. Open the Linux shell using your Linux administrator account credentials. The Linux administrator account is created during the deployment process. ® 2. To start the Avaya Aura Web Gateway services, run the following command: svc csa start ®...

  • Page 95: Configuring Oamp To Use Linux Account Credentials On The Avaya Aura Web Gateway Administration Portal

    Web Gateway administration portal About this task ® This is an optional procedure that you need to perform if you want to log on to the Avaya Aura Web Gateway administration portal using Linux account credentials. Procedure 1. Open the Linux shell using your Linux administrator account credentials.

  • Page 96: Chapter 7: Global Fqdn Configuration

    Required FQDNs and certificates on page 25 Configuring the front-end FQDN Procedure ® 1. Log in to the Avaya Aura Web Gateway administration portal. 2. Navigate to External Access > HTTP Reverse Proxy. 3. Configure the following settings: ® October 2018...

  • Page 97: Avaya Equinox Conferencing Configuration For Single Fqdn Deployments

    ® Configuring Avaya Equinox conference control Procedure 1. Log in to the Avaya Equinox Management web administration portal. 2. Navigate to Settings > Advanced Parameters. 3. In Property Name, enter com.visionnex.vcms.core.uccp.customizedUCCPURL. 4. In Property Value, enter https://<Service FQDN>:443/uwd/ws?ticket=. For example: https://webservices.company.com:443/uwd/ws?ticket=.

  • Page 98: Configuring Web Collaboration

    Global FQDN configuration Configuring Web Collaboration Procedure 1. Log in to the Avaya Equinox Management web administration portal. 2. Navigate to Devices > Devices by Type > <Web Collaboration server name> > Configuration. 3. Configure the following settings: a. In Service FQDN and Local FQDN, enter the service FQDN that resolves to the IP address of the selected Web Collaboration node.

  • Page 99: Chapter 8: System Manager, Avaya Aura ® Device Services, Media Server, And Avaya Equinox Conferencing Configurations

    FQDN for the cluster will be the FQDN of the ® load balancer. If not, it will be the FQDN of the virtual IP assigned to the Avaya Aura Gateway cluster. Before you begin Ensure that you have administrative privileges to access System Manager.

  • Page 100: Configuring Sip Trunks For The Avaya Aura ® Web Gateway On System Manager

    In the Description field, type a description of the access profile. k. Click Save. 7. Click Commit. 8. On the System Manager console, click Elements > Web Gateway to verify that the Avaya ® Aura Web Gateway element has been added.

  • Page 101: Setting Up Serviceability Agents For Alarms On System Manager

    3. On the SIP Entity Details page, configure the following required field settings: • Name: Type a name for the SIP entity. ® • FQDN or IP Address: Type the FQDN or IP address of the Avaya Aura Web Gateway. • Type: Select SIP Trunk.

  • Page 102: Configuring Avaya Aura Media Server In System Manager

    System Manager, Avaya Aura ® Device Services, Media Server, and Avaya Equinox Conferencing configurations ® System Manager is now ready to receive alarms from Avaya Aura Web Gateway. ® Configuring Avaya Aura Media Server in System Manager About this task This procedure outlines the key System Manager configuration required for the Media Server.

  • Page 103: Configuring Avaya Aura Media Server Settings

    STUN/TURN address and port configured on the media server must match the STUN/ TURN Listen IP & Listen port that are configured for the A1 interface of the Avaya SBCE. You must also use the default values for the following settings: •...

  • Page 104: Configuring The Avaya Aura ® Web Gateway On Avaya Aura ® Device Services

    Aura Web Gateway cluster. 3. On the HTTP Clients tab, ensure that the REST and OAMP options are not set to NONE. If these options are set to NONE, then the trusted host relationship between the Avaya ® ® ®...

  • Page 105: Configuring The Avaya Aura ® Web Gateway On Avaya Equinox

    4. In Title, type a name of the updates or appcast for the client installer. 5. In Description, type the description of the client installer updates. ® 6. In Version, type the version details for the Avaya Equinox client release. ®...

  • Page 106: Route Configuration For An External Load Balancer

    Conferencing, see Administrator Guide for Avaya ® Equinox Management. ® • A separate User Portal device must be added for each node on the Avaya Aura Gateway cluster using its respective IP address and location. Procedure ® 1. Log on to the Avaya Equinox Conferencing Management portal.
  • Page 107 8444. ® /acs • <AADS Node 1 /acs Avaya Aura Device FQDN>:8448 Services • <AADS Node 2 FQDN>:8448 • <AADS Node X FQDN>: 8448 ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 108: Chapter 9: Avaya Session Border Controller For Enterprise Configuration

    Chapter 9: Avaya Session Border Controller for Enterprise configuration Use the following sections to configure Avaya Session Border Controller for Enterprise (Avaya ® SBCE) for the Avaya Aura Web Gateway. You must have a pool of IP addresses available for Avaya SBCE.

  • Page 109: Reverse Proxy Configuration

    Reverse proxy configuration Reverse proxy configuration Reverse proxy configuration checklist for a single FQDN deployment Perform the tasks outlined in this checklist to configure reverse proxy on the Avaya SBCE if you are using a single FQDN for all services. Task Notes Verify prerequisites.

  • Page 110: Prerequisites

    Management, Web Collaboration Services, and Avaya Aura Web Gateway. - One A1 interface for internal enterprise HTTP traffic. • If you are using multiple FQDNs, ensure that you have the following interfaces on Avaya SBCE: - One B1 interface per FQDN for each service.

  • Page 111: Checklist For Creating Tls Server Profiles For Reverse Proxy In A Multiple Fqdn Deployment

    Create a TLS server profile using Creating a TLS server profile the installed certificate. page 141. When creating a profile, use the certificate installed on the Avaya SBCE in the previous step. Provide a descriptive name for the profile. For example: webservicesTlsProfile. Related links...
  • Page 112 Create TLS server profiles using Creating a TLS server profile the installed certificates. page 141. When creating profiles, use certificates installed on the Avaya SBCE in the previous step. Provide a descriptive name for each profile. For example: conferenceMgmtTlsProfile for the ®...

  • Page 113: Certificate Authority Configuration Checklist

    CA. To configure a CA, perform the tasks outlined in the following checklist: Task Notes Install the CA on the Avaya SBCE. Installing a CA certificate on Avaya SBCE on page 140. Provide a descriptive name for the CA. For example: certificateAuthority.
  • Page 114 4. In Service Name, enter a name for the profile. 5. Select the Enable check box to enable the reverse proxy profile. 6. In Listen IP, select the external B1 interface and the Avaya SBCE external leg IP addresses. 7. In Listen Port, enter 443.

  • Page 115: Configuring Internal Traffic Rules In A Single Fqdn For All Services Deployment

    Media Server. You must create one entry per each Web Collaboration Services server. <WCS2 FQDN>: 443 /wcs2 ® The FQDN is the FQDN of each Avaya Aura Media <WCSX FQDN>: 443 /wcsX Server, and it resolves to the corresponding Avaya ®...
  • Page 116 4. In Service Name, enter a name for the profile. 5. Select the Enable check box to enable the reverse proxy profile. 6. In Listen IP, select the internal A1 interface and the Avaya SBCE external leg IP address. 7. In Listen Port, enter 443.

  • Page 117: Configuring External Traffic Rules In A Multiple Fqdn Deployment

    Reverse proxy configuration checklist for a multiple FQDN deployment page 109. Procedure 1. Log in to the Avaya SBCE web administration portal. 2. Navigate to Device Specific Settings > DMZ Services > Relay Services > Reverse Proxy. ®...
  • Page 118 4. In Service Name, enter a name for the profile. 5. Select the Enable check box to enable the reverse proxy profile. 6. In Listen IP, select the external B1 interface and the Avaya SBCE external leg IP address. 7. In Listen Port, enter 443.

  • Page 119: External Client Access Configuration

    Web Gateway system. For example: webgateway.company.com. External client access configuration The following sections describe how to configure Avaya SBCE if you are planning to use any external clients, including WebRTC, moblile, or desktop clients, outside the enterprise firewall. External client access configuration checklist Perform the tasks outlined in this checklist if you are planning to use any external clients, including WebRTC, mobile, or desktop clients, outside the enterprise firewall.

  • Page 120: Checklist For Creation Of A Tls Server Profile For A Management Interface

    Avaya Session Border Controller for Enterprise configuration Task Notes Configure WebRTC client side TURN. WebRTC client side TURN configuration on page 124. Configure support for external native External native clients media media clients. configuration on page 128. Checklist for creation of a TLS server profile for a management...

  • Page 121: Configuring Avaya Sbce Load Monitoring

    3. Click Add to create a new monitoring profile. 4. In Load Balancer Type, select INTERNAL. ® This is the load balancer on the A1 side of the network. Avaya Aura Web Gateway performs load balancing towards the internal side. All HTTP requests sent for dialing out use the internal load balancer logic to identify the appropriate Avaya SBCE.

  • Page 122: Adding Avaya Session Border Controller For Enterprise To The Avaya Aura Web Gateway

    1. Log in to the Avaya Aura Web Gateway web administration portal. 2. Click Add to add a new Avaya SBCE or click Edit to update the information for the existing Avaya SBCE connection. 3. In SIP Address, type the FQDN or IP address of the internal A1 interface of the Avaya ®...
  • Page 123 5. Click OK. 6. Select the Avaya SBCE name from the list and do the following: a. In Listen/Relay Internal IP, enter the Avaya SBCE IP address of the internal A1 interface configured for the load balancer and for STUN/TURN interface.

  • Page 124: Webrtc Client Side Turn Configuration

    To enable client side TURN, you need to open TCP port 443 on the external firewall. Server side TURN uses a range of UDP ports and consumes less Avaya SBCE resources than client side TURN. However, if a WebRTC browser is behind a firewall that blocks UDP traffic, you might experience issues with WebRTC calls if using server side TURN.
  • Page 125 External firewall rules Port Protocol Decription For TLS TURN. For traffic that runs from the internet to Avaya SBCE on the B interface. This option is only required if you are using TLS TURN and it provides better readability through firewalls.
  • Page 126 1. Log in to the Avaya SBCE web administration interface. 2. Navigate to Device Specific Settings > TURN/STUN Service. 3. From the Application pane, select the Avaya SBCE device for which the new TURN/STUN profile will be created. 4. Click TURN/STUN Profiles.
  • Page 127 1. Log in to the Avaya SBCE web administration interface. 2. Navigate to Device Specific Settings > TURN/STUN Service. 3. From the Application pane, select the Avaya SBCE device for which you need to create a new TURN relay service.

  • Page 128: External Native Clients Media Configuration

    External client access configuration checklist on page 119 External native clients media configuration checklist ® Perform the tasks outlined in this checklist if you are planning to use Avaya Equinox mobile and desktop clients outside of your enterprise firewall. Task...
  • Page 129 Avaya Session Border Controller for Enterprise to the Avaya Aura Web Gateway page 122. • Configure one A interface IP address and one B interface IP address on the Avaya SBCE. TLS server profile checklist for external native clients media configuration Perform the following tasks to create a TLS server profile required for SIP communications with Avaya SBCE.
  • Page 130 Create a TLS server profile using Creating a TLS server profile the installed certificate. page 141. When creating a profile, use the certificate installed on Avaya SBCE in the previous step. Provide a descriptive name for the profile. For example: conferencingManagementSipTlsProfil Related links...
  • Page 131 Description 35000 to 40000 For UDP media from Avaya SBCE. For media traffic that runs from the A interface of Avaya SBCE to the MCU 7K and MCU 6K servers. 12000 to 13200 For UDP media from media services. For media traffic that runs from MCU 7K servers to the A interface of Avaya SBCE.
  • Page 132 4. In Name, provide a name. 5. In IP Address, provide the network name, identified by the interface name and VLAN tag, and IP address of the Avaya SBCE used by SIP signaling messages traversing the network. 6. Leave the TCP Port field blank.
  • Page 133 For the new media rule, navigate to Encryption > Miscellaneous and select the Capacity Negotiation check box. c. On the Advanced tab, select the BFCP Enabled and FECC Enabled check boxes. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 134 Add the Avaya Aura Web Gateway FQDN with port 5061 and TLS protocol specified. ® f. Repeat the previous substep for FQDNs of all Avaya Aura Web Gateway nodes. g. In the Advanced Options section, select the Enable Grooming check box and then select the interworking profile created in the previous step.

  • Page 135: Certificate Setup

    From Media Interface, select the internal A1 interface. g. From End Point Policy Group, select required. ® 6. To add a flow for the Avaya Aura Web Gateway, do the following: a. Navigate to Device Specific Settings > End Point Flows > Server Flows and then select Add.
  • Page 136 Contact E-mail: Provide the email address of the contact. 5. Click Generate CSR. 6. Download and save the CSR request file in the .CSR format. 7. Delete the key file generated and saved on Avaya Session Border Controller for Enterprise. Next steps Provide the .CSR file to a CA for signing.

  • Page 137: Signing Certificates With The System Manager Ca

    10. Enter the user name and password that you used when creating the end entity. 11. Open the CSR request file in the CSR format in a text editor and copy its content into a text box on the page. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 138: Installing A Certificate And A Key

    For example: certificate1.pem and certificate1.key. Important: Do not use the dot (.) symbol in the file name. 2. Log in to the Avaya SBCE web administration portal. 3. Navigate to TLS Management > Certificates. 4. Click Install. 5. Configure the following fields: a.

  • Page 139: Installing The Equinox Management Ca Certificate To Avaya Sbce

    Important: If the third-party CA provides separate Root CA and intermediate certificates, you must combine these certificates into a single file before installing to Avaya SBCE. To combine the files, append the content of each certificate file one after another.

  • Page 140: Installing A Ca Certificate On Avaya Sbce

    Overwrite Existing: Select if you need to replace the existing certificate that has the same name. d. Allow Weak Certificate Key: Select if the certificate is signed with a weak key. ® e. Certificate File: select the CA certificate file downloaded from Avaya Equinox Management. 8. Press Upload. ®...

  • Page 141: Tls Client And Server Profiles Setup

    TLS client and server profiles setup Creating a TLS server profile Procedure 1. Log in to the Avaya SBCE web administration portal. 2. Navigate to TLS Management > Server Profiles. 3. Click Add. 4. In Profile Name, enter a name for the profile.
  • Page 142 Avaya Session Border Controller for Enterprise configuration 3. Configure the following interfaces: • Internal interface A1 with at least one IP address associated with it. • External interface B1 with at least one IP address associated with it. ® October 2018...

  • Page 143: Chapter 10: Resources

    Chapter 10: Resources Documentation The following table lists other related documentation. All Avaya documentation is available at http://support.avaya.com/. Many documents are also available at http:// documentation.avaya.com/. Title Use this document to: Audience Overview and planning ® Avaya Aura Core Solution Understand the strategic, enterprise, and •...

  • Page 144: Finding Documents On The Avaya Support Website

    ® Avaya Aura Media Server. Finding documents on the Avaya Support website Procedure 1. Navigate to http://support.avaya.com/. 2. At the top of the screen, type your username and password and click Login. 3. Click Support by Product > Documents.

  • Page 145: Avaya Documentation Portal Navigation

    Customer documentation for some programs is now available on the Avaya Documentation Portal at http://documentation.avaya.com/. Important: For documents that are not available on the Avaya Documentation Portal, click Support on the top menu to open http://support.avaya.com/. Using the Avaya Documentation Portal, you can: •...

  • Page 146: Training

    Avaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avaya products. About this task Videos are available on the Avaya Support website, listed under the video document type, and on the Avaya-run channel on YouTube. Procedure •...

  • Page 147: Support

    • Links to other pertinent information If you are an authorized Avaya Partner or a current Avaya customer with a support contract, you can access the Knowledge Base without extra cost. You must have a login account and a valid Sold-To number.

  • Page 148: Appendix A: Certificate Configuration Using The Configuration Utility

    The following sections describe how to configure certificates using the configuration utility process. ® You can also manage and update certificates using the Avaya Aura Web Gateway web administration portal. For more information about working with the web administration portal, see ®...

  • Page 149: Getting Certificates Signed By The Third-Party Ca

    • countryCode: The two-digit country code. • emailAddress: The administrator email address. 4. Verify that /opt/Avaya/AAWGportalCerts contains the .key and .csr files for front- end, node, OAMP, and SIP. Only the frontEnd.csr and frontEnd.key files are used. You can ignore the sip, oamp &...

  • Page 150: Applying Third-Party Signed Certificates To The Avaya Aura

    Certificate configuration using the configuration utility ® 2. Transfer certificates to Avaya Aura Web Gateway. a. Transfer the signed .crt file to /opt/Avaya/AAWGportalCerts, and name it frontEnd.crt. b. Transfer the third-party root CA certificate to /opt/Avaya/AAWGportalCerts, and name it rootCA.crt.

  • Page 151: Adding Third-Party Root Ca Certificates To The Avaya Aura

    • LDAP root CA certificate if you are using a secure LDAP connection. • SIP CA certificate if Session Manager has certificates signed by the SIP CA. ® You can manage truststore certificates by using the Avaya Aura Web Gateway administration ®...

  • Page 152: Signing Identity Certificates For Avaya Aura

    Web Gateway using third-party CA certificates About this task ® You can use the following procedure to sign identity certificates for Avaya Aura Web Gateway using third-party CA certificates. Note: In the following procedure, the third-party CA certificate can be a public CA or an internal private CA.
  • Page 153 - keyUsage = nonRepudiation, digitalSignature, keyEncipherment - extendedKeyUsage = serverAuth, clientAuth • Ensure that the CSR contains the following: - If the certificate is only used on the Avaya SBCE, the request contains the subjectAltName extension that lists the cluster FQDN in the SAN. ®...

  • Page 154: Configuring System Manager To Trust Third-Party Root Ca Certificates

    From the SSH session on the System Manager, run the following command as a root user: service jboss restart Note: The service jboss restart command affects the service for the System Manager. ® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...

  • Page 155: Creating A Client Certificate

    About this task Use this procedure to create a client certificate, which can be imported into a web browser for ® authenticating automatic login into the Avaya Aura Web Gateway web administration portal. Procedure 1. Open the Linux shell using your Linux administrator account credentials.

  • Page 156: Importing Client Certificates Into Web Browsers

    Available certificate validation options Name Description ® OPTIONAL Enables the Avaya Aura Web Gateway to validate certificates presented by the clients to establish a secure HTTP connection with the Avaya ® Aura Web Gateway. ® NONE Prevents the Avaya Aura Web Gateway from performing any validation on certificates presented by the clients.
  • Page 157 Certificate Authority (CA). REQUIRED Ensures that the clients present a valid certificate that is signed or issued by a trusted CA to establish a secure HTTP connection with the Avaya ® Aura Web Gateway.

  • Page 158: Glossary

    The maximum number of calls supported for one hour in peak traffic Attempts conditions. Cassandra Third party NoSQL database, which is used by Avaya Multimedia Messaging to store messaging data and configuration information. For more information, see https://cassandra.apache.org/. Domain Name...

  • Page 159: October

    ........55 WebRTC client side TURN configuration ....applying third-party certificates clients Avaya Aura Web Gateway server .......150 uploading Avaya Equinox clients to AADS ....architecture client side TURN configuration .......... diagram .................12 cluster configuration .............90 ASBCE collection configuring ..............
  • Page 160 .............49 generating certificate signing requests ......... deploying geo distribution Avaya Aura Web Gateway OVA ......44, external load balancer ..........multi-node CloudFormation stack .........57 overview ............... single-node CloudFormation stack ....... topology for a call between data centers ......
  • Page 161 Amazon Web Services Management console ....OAMP configuration silent installation ..............Linux account ............... skills and knowledge ............25 obtaining solution architecture .............12 Avaya Aura Web Gateway OVA ........specifications OpenSSL ................® October 2018 Deploying the Avaya Aura Web Gateway Comments on this document? infodev@avaya.com...
  • Page 162 ................sys secconfig ............... web browser requirements ..........sys smcvemgt ..............web deployment service examples ..............uploading Avaya Equinox clients on AADS ....system layer WebRTC secconfig ..............configuring client side TURN ........smcvemgt ............... 34, configuring TURN/STUN profile on ASBCE ....

Table of Contents

Save PDF