Relay-only configuration for Microsoft SfB - Lync
Available in version 8.4 and later |
---|
Overview
There are some specific use cases where customers would like to prevent P2P traffic between SfB/Lync endpoints to avoid any-to-any relations, primarily due to security and firewall issues. The following list summarizes the key features:
- Built on top of the Verba system. It can be deployed as a relay-only solution or as a mixed environment with recorded and relay-only users.
- Standard AD sync profiles can be configured for specific users, where relay-only "recording mode" can be configured for the associated extensions/addresses.
- When the Verba Filter Service recognizes a voice/video call for a configured user, it will update the SDP and relay the call through a Verba Proxy Server. Verba Proxy Servers can be deployed in a resilient fashion providing load balancing and failover functions. The same proxy server can be used for recording as well.
- The system does not store any information about relay-only calls besides the standard log entries related to the filter and relay services.
- The Verba Proxy Server currently has the following limitations:
- It can only relay UDP streams, TCP is not supported
- It cannot support endpoints behind NAT (this will be resolved soon)
- Using AD sync, Verba stores the configuration of the users and their associated SIP URIs / phone numbers in an SQL Server. The configuration is automatically pushed down to all Verba servers, including the SfB FE filter applications. SfB FE filter applications store a local, cached copy of the configuration.
- A configured SfB user starts a voice/video call.
- The Verba Filter service detects the call for the configured user based on SIP URI/phone number. It forwards call setup messages to a Verba Proxy Server based on the load balancing and failover configuration.
- The Verba Proxy Server allocates relay ports and rewrites ICE candidates, then sends back the updated SDP to the filter application. Endpoints will connect via the relay port, internal routing logic will forward received RTP/RTCP packets to the other endpoint.
Network requirements
- Direct IP connectivity between the relay service and the call participants
- NAT traversing is currently not supported. If at least one endpoint is behind NAT, the call is expected to flow via the Edge Server.
- Network bandwidth: (codec rate + ~22.4 kbps packetization overhead) x 2x number of concurrent calls in both RX/TX direction
- Low delay, low jitter network link to SfB endpoints
QoS and Firewall requirements
- Dedicated port range for voice and for video calls can be specified
- DSCP/Diffserv TOS marking can be achieved by Windows QoS management: https://technet.microsoft.com/en-us/library/cc771283.aspx
- Firewall should allow inbound traffic from SfB endpoints (phones, mediation, AVMCU, ...) to relay port range and outbound traffic from relay ports to these endpoints
- One stream (voice or video) allocates 4 ports on the relay server (caller RTP+RTCP, callee RTP+RTCP).
- Skype for Business is now able to multiplex RTP and RTCP on the same port, even so, due to backward compatibility, we follow the “RTP on even, the RTCP on the next odd port number” rule
- By default the service listens on:
- UDP 16384-65535 – relay port range
- TLS 10201 – SfB filter connections
- More information: Port range and QoS settings for proxy based recording
Configuring relay-only extensions
Follow the steps below to configure a relay-only user:
Step 1 - In the Verba web interface click on Administration > Extensions.
Step 2 - Select the extension you would like to be a relay-only extension.
Step 3 - Under Recording Settings change the Recording Mode dropdown value to Relay Only.
Step 4 - Scroll down to the bottom of the page and click the Save button.
Step 5 - Follow the instruction in the yellow stripe above the extensions list to apply changes to Verba services.