Avaya Aura, Deployment Manual

Page 1: ...Deploying the Avaya Aura Web Gateway Release 3 5 Issue 1 October 2018 ...

Page 2: ...O NOT WISH TO ACCEPT THESE TERMS OF USE YOU MUST NOT ACCESS OR USE THE HOSTED SERVICE OR AUTHORIZE ANYONE TO ACCESS OR USE THE HOSTED SERVICE Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE HTTPS SUPPORT AVAYA COM LICENSEINFO UNDER THE LINK AVAYA SOFTWARE LICENSE TERMS Avaya Products OR SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA ARE APPLICABLE TO ANYONE WHO DOWNLOADS USES AND OR...

Page 3: ...distribution of the open source software The Third Party Terms shall take precedence over these Software License Terms solely with respect to the applicable Third Party Components to the extent that these Software License Terms impose greater restrictions on You than the applicable Third Party Terms The following applies only if the H 264 AVC codec is distributed with the product THIS PRODUCT IS L...

Page 4: ...gos and service marks Marks displayed in this site the Documentation Hosted Service s and product s provided by Avaya are the registered or unregistered Marks of Avaya its affiliates its licensors its suppliers or other third parties Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark Nothing contained in this site the Docum...

Page 5: ...tion 23 Planning checklist 23 Required skills and knowledge 25 Required FQDNs and certificates 25 Linux alias commands 27 System layer commands 29 sys secconfig command 30 sys versions command 30 sys volmgt command 30 sys smcvemgt command 34 Resource profile specifications 37 Resource profile specifications for Avaya Aura Web Gateway on VMware 37 Resources profile specifications for Avaya Aura Web...

Page 6: ...uration options 91 Advanced configuration 93 Starting services using a command line 94 Configuring OAMP to use Linux account credentials on the Avaya Aura Web Gateway administration portal 95 Chapter 7 Global FQDN configuration 96 DNS configuration 96 Configuring the front end FQDN 96 Avaya Equinox Conferencing configuration for single FQDN deployments 97 Configuring Avaya Equinox conference contr...

Page 7: ...onitoring 121 Adding Avaya Session Border Controller for Enterprise to the Avaya Aura Web Gateway 122 Adding Avaya Session Border Controller for Enterprise to Avaya Equinox Conferencing Management 122 WebRTC client side TURN configuration 124 External native clients media configuration 128 Certificate setup 135 Creating a certificate signing request on Avaya Session Border Controller for Enterpris...

Page 8: ...R using OpenSSL 151 Signing identity certificates for Avaya Aura Web Gateway using third party CA certificates 152 Configuring System Manager to trust third party root CA certificates 154 Creating a client certificate 155 Importing client certificates into web browsers 156 Glossary 158 Contents October 2018 Deploying the Avaya Aura Web Gateway 8 Comments on this document infodev avaya com ...

Page 9: ...s release on page 11 Updated Avaya Aura Web Gateway overview on page 11 Updated the sections under Geographical distribution overview on page 14 Updated Product compatibility on page 18 Added a new chapter Deployment process on page 20 Updated Planning checklist on page 23 Replaced the required IP address information with Required FQDNs and certificates on page 25 Added Performing a silent install...

Page 10: ...dditional information in the sections under Avaya Session Border Controller for Enterprise configuration on page 108 Updated Documentation on page 143 Minor rephrasing throughout the document Introduction October 2018 Deploying the Avaya Aura Web Gateway 10 Comments on this document infodev avaya com ...

Page 11: ... only deployment option is available but it is not described in this document The Conferencing only option follows a different deployment process For more information see Deploying Avaya Equinox Solution New in this release The following is a summary of new functionality that has been added to the Avaya Aura Web Gateway in Release 3 5 Avaya Breeze authorization Users that previously authenticated ...

Page 12: ...on Border Controller Avaya Aura Session Manager Avaya Aura SMGR Avaya Aura CM Presence Service Avaya Aura Device Services Avaya Aura Media Server Avaya Aura Web Gateway Avaya Equinox Unified Portal Endpoint Service Gateway Conferencing Audio Video Web Recording Figure 1 Avaya Equinox and Conferencing deployment topology Topology diagram This section provides a graphical representation of the Team ...

Page 13: ...rvices Media Server MCU 7K 6K Internet Web Zone Application Zone Enterprise Network Session Border Contorller Management network Equinox Application Zone network Internet networks Avaya Enterprise networks Session Border Controller Web Zone network Clients in Internet networks Clients in Enterprise networks UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP HTTPS HTTPS HTTPS HTTPS HTTPS H T T P S H T T P S H...

Page 14: ...hich may be located in the same data center or in different data centers Avaya Aura Session Manager and Avaya Aura Communication Manager are important for call routing To optimize media delays for point to point calls deploy these components in a distributed manner across your data centers The way in which these components are geographically distributed is outside the scope of this document For mo...

Page 15: ...re two data centers with one Avaya Aura Web Gateway in each data center Clients are located in different data centers outside of the firewall and registered on the Avaya Aura Web Gateway to receive calls When one client makes a call to the other the call follows the following flow 1 Both clients log in to the corresponding Avaya Aura Web Gateway and activate the call service a A client in data cen...

Page 16: ...nvite to the Avaya Aura Web Gateway from DC2 where the second client is logged in 6 The Avaya Aura Web Gateway from DC2 uses the Session Border Controller and Avaya Aura Media Server deployed on DC2 to pass the media through the firewall to the second client DC1 DC1 firewall DC2 DC2 firewall GSLB Load Balancer Load Balancer Session Border Controller Session Manager Communication Manager Session Ma...

Page 17: ...a Aura Web Gateway and activate the call service Both clients resolve the FQDN to the address of the load balancer deployed on DC1 and communicate with the Avaya Aura Web Gateway deployed on DC1 2 The external client initiates the call 3 The Avaya Aura Web Gateway sends the SIP call to Session Manager deployed on DC1 4 Session Manager deployed on DC1 forwards the call to the same Avaya Aura Web Ga...

Page 18: ...anager Avaya Aura Web Gateway node 1 Avaya Aura Media Server Avaya Aura Device Services Avaya Aura Device Services Load Balancer Interoperability Product compatibility Avaya Aura Web Gateway interacts with the following components For information about interoperability and supported product versions see https secureservices avaya com compatibility matrix menus product xhtml Avaya Aura Web Gateway ...

Page 19: ...elf The Avaya Equinox Conferencing solution provides conferencing and collaboration functionality Avaya Equinox Conferencing is not available with the Avaya Aura Web Gateway Avaya Equinox only deployment option Avaya SBCE A component that provides a common element to enable secure access to the Avaya infrastructure from untrusted networks such as the internet In addition to SIP firewall services t...

Page 20: ...page 42 Perform configuration Perform the appropriate configuration tasks for each deployment option For more information see Configuration worksheet on page 20 Configuration worksheet Use this checklist to determine the configuration requirements for each deployment type The deployment types are Single FQDN single data center Multiple FQDNs single data center Multiple data centers which is also k...

Page 21: ...t generate a Certificate Signing Request CSR and get it signed by a public CA For this deployment use System Manager certificates if possible Configure System Manager See Adding the Avaya Aura Web Gateway to System Manager on page 99 Configure Avaya Aura Media Server See Configuring Avaya Aura Media Server settings on page 103 Configure Avaya Aura Device Services See Configuring the Avaya Aura Web...

Page 22: ...everse proxy configuration on page 109 If you are planning to use external clients outside the enterprise firewall configure client access See External client access configuration on page 119 Configure an external load balancer See Route configuration for an external load balancer on page 106 Deployment process October 2018 Deploying the Avaya Aura Web Gateway 22 Comments on this document infodev ...

Page 23: ...e that you have all required skills and knowledge Before deploying Avaya Aura Web Gateway ensure that you have all required skills and knowledge described in this chapter 2 Ensure that you have all required components and equipment Team Engagement deployments require Avaya Aura Your deployment can also include Conferencing For more information about components see Product compatibility on page 18 ...

Page 24: ...stem require a single data center or multiple regionally distributed data centers 4 Ensure that you can log in to the Avaya Product Licensing and Delivery System PLDS to download software and to obtain licences Ensure that you have access to PLDS and can download files Download the Avaya Aura Web Gateway installation file from PLDS Avaya Aura Web Gateway software and enhanced user privileges are l...

Page 25: ...with Amazon Machine Images AMIs and with the AWS Management console For a list of supported browsers in AWS see https aws amazon com console faqs browser_support Install deploy and use key Avaya Aura components Use basic Linux commands Related links Product compatibility on page 18 Required FQDNs and certificates Required FQDNs Required certificates In a single FQDN model you require one FQDN that...

Page 26: ... portal server virtual IP address For example webgateway company com Internally the FQDN resolves to the virtual IP address of the Avaya Aura Web Gateway portal service In a multiple FQDN deployment the FQDN resolves externally to the IP address of the external Avaya SBCE interface The certificate must include the global services FQDN in the SAN In a single FQDN deployment the certificate for each...

Page 27: ...their functionality description Alias Description cdto Change to frequently used directories app Perform application functions such as install or backup svc Manage the state of application related services Some of the alias commands are only available after the application has been installed You can type any of the aliases in a Linux shell to list the supported commands The following image provide...

Page 28: ...e The alias commands operate only on the active installation unless specified Table 2 Examples of alias commands to be used in a Linux shell Alias example Function provided cdto logs Changes to the log directory of the active installation on the system app install Runs the staged application installer svc telportal restart Restarts the telportal service Note The aliases must be used only from the ...

Page 29: ...ption of each available system layer command The following is an example admin server dev sys hh The sys command line alias facilitates access to the following commands related to the system layer of UCApp appliances To obtain help with each of these commands use the h or help argument for help with command line syntax and hh or hhelp for verbose help secconfig Manages security related settings ve...

Page 30: ...summary of key system layer information including the type of appliance OVA the version number of the system layer the version of the current partitioning and the OVA that was originally deployed admin server4889csa sys versions Appliance type AAWG System layer version 3 4 0 0 2 Partitioning version 2 0 Original OVA deploy csa 3 3 0 0 365 admin server4889csa sys volmgt command Syntax help sys volm...

Page 31: ...terrupted it can be re run using the same command but WITHOUT specifying the size argument For example the following command is used to perform step 2 only for the application log volume var log Avaya sys volmgt extend var log Avaya If in doubt as to whether or not all file systems have been fully extended in their respective volumes step 2 can be executed across all volumes using a single command...

Page 32: ...is help version v Prints the version of this script to stdout status st Prints the current status of this tool Use this to determine if there is a background operation in progress or the results of the last background operation summary s Prints a summary of disks the LVM volumes contained on each disk and the file system contained in each LVM volume Disk information includes the size of the disk a...

Page 33: ... volume is extended by that amount reducing the amount of free space on the disk by that amount Specific sizes are in the form of a number e g 10 10 5 or 5 and a unit Units are m for mebibites g for gibibytes and t for tebibytes The smallest increment that can be specified is 100 MiB Example invocations sys volmgt extend var log Avaya 10g sys volmgt extend var log Avaya 10 5g sys volmgt extend var...

Page 34: ...ches are enabled the system might experience noticeable performance losses If the patches are disabled the system is not protected against the Variant 2 Spectre and Variant 3 Meltdown vulnerabilities By default Linux patches for Variant 2 Spectre and Variant 3 Meltdown are enabled The Variant 2 Spectre patch is enabled with Linux kernel defaults In default operation mode the Variant 2 Spectre Linu...

Page 35: ...l patches for the following Spectre and Meltdown vulnerabilities Variant 2 Spectre CVE 2017 5715 Variant 3 Meltdown CVE 2017 5754 The kernel patch for the following related vulnerability is permanently enabled on the system cannot be disabled Variant 1 Spectre CVE 2017 5753 Note that hardware support is required for Variant 2 Spectre to be fully functional CPU microcode updates must be applied in ...

Page 36: ...If a v2 or v3 argument is not specified the current system value for that item is retained v2 mode disabled Variant 2 Spectre is disabled default The kernel decides how to set tunables for Variant 2 Spectre based on the processor architecture Note that for architectures prior to Skylake the kernel selects retpoline return trampoline over ibrs kernel Use ibrs i e kernel space only user Use ibrs_use...

Page 37: ... Variant 2 Spectre and Variant 3 Meltdown where Variant 2 Spectre is set to kernel space only sys smcvemgt set v2 kernel v3 enabled The following command enables patches for Variant 2 Spectre which are configured for user space with Retpoline or return trampoline Variant 3 Meltdown retains its current settings sys smcvemgt set v2 user retp Command for disabling patches The following command disabl...

Page 38: ...2500 Avaya Equinox Busy Hour Call Attempts BHCA 20 Portal user requests per second 33 Conferencing calls per second 25000 Avaya Equinox BHCA 40 Portal user requests per second 50 Conferencing calls per second 50000 Avaya Equinox BHCA 60 Portal user requests per second Resources profile specifications for Avaya Aura Web Gateway on Amazon Web Services The following table outlines the profiles create...

Page 39: ...the enterprise To reduce latency for authentication and directory lookup operations this LDAP server must be collocated with Avaya Aura Web Gateway in the same AWS region Connection types You can connect applications in a hybrid network on the Virtual Private Cloud VPC in the following ways Connection type Resource VPN connection For information about VPN connections see http docs aws amazon com A...

Page 40: ...finity means that all requests from the client are always routed to the same server Session affinity is based on cookies The reverse proxy inserts a cookie to responses for incoming HTTP requests and routes subsequent requests that contain the same cookie to the same Avaya Aura Web Gateway server This feature is also known as sticky sessions Do not use IP based sticky sessions because this might a...

Page 41: ... Web Gateway servers using TCP responses To avoid leaving multple TCP sockets opened you must be able to configure TCP health checks to half opened connections The external HTTP load balancer must be able to use standard headers to determine the FQDN from the original request that is used to reach the system Avaya Aura Web Gateway uses the Host header to identify the FQDN that is used by the clien...

Page 42: ...n see VMware deployments on page 43 Amazon Web Services deployments on page 47 The Avaya Aura Web Gateway OVA file includes openjdk Operating system updates for virtual machines include updates for openjdk 2 Increase the partitioning volumes for VMware deployments In a VMware environment you must adjust the virtual disk volumes This procedure is not required for AWS deployments 3 Install or restor...

Page 43: ...Pricing in Avaya Aura Web Gateway Offer Definition OVA deployment Use one of the following procedures to deploy the OVA You can use vCenter vSphere or Solution Development Manager SDM Deploying the Avaya Aura Web Gateway OVA using vCenter Procedure 1 Log in to vCenter 2 Navigate to File Deploy OVF Template 3 From the Source page click Browse and then select the OVA file For example csa version _OV...

Page 44: ...e source network used with the appropriate destination network b Click Next 11 From the Properties page do the following a Complete the required network information such as your IP address host name or FQDN Netmask and DNS b Enter credentials for a Linux administrator user which include the user name password and group The default user name is admin group is admingrp and password is avaya123 12 Fr...

Page 45: ...ution Deployment Manager from System Manager About this task Use this procedure to create a virtual machine on the ESXi host and deploy the Avaya Aura Web Gateway OVA on the virtual machine Before you begin Ensure that you are familiar with the Deployment checklist section in Deploying Avaya Aura applications from System Manager Add Appliance Virtualization Platform AVP or an ESXi host to the loca...

Page 46: ... the local or remote library where the OVA file is located c In Select OVAs select the OVA that you want to deploy d In Flexi Footprint select the footprint size that the application supports 9 On the Configuration Parameters page specify the following Management network settings Public network settings Admin user details 10 On the Network Parameters page choose any application 11 Click Deploy 12 ...

Page 47: ... cli and http docs aws amazon com cli latest userguide cli chap getting started html cli quick configuration Signing in to the Amazon Web Services Management console Before you begin Ensure that you have an AWS account Procedure 1 In your web browser type the URL https aws amazon com 2 Click Sign In to the Console The system displays the Amazon Web Service page and auto populates the Account field...

Page 48: ...used to decrypt the encrypted data You provide this key pair when you create a CloudFormation stack and use it for SSH access to the Amazon Machine Instances Procedure 1 Sign in to the Amazon Web Services Management console 2 In the left navigation pane go to NETWORK SECURITY and click Key Pairs 3 Click Create Key Pair 4 In the Create Key Pair dialog box in the Key pair name field type a name for ...

Page 49: ...s procedure to create a role named vmimport for importing files into the S3 bucket Use the AWS CLI to run the commands in this procedure Procedure 1 Start a command line interpreter on a computer with the installed AWS CLI 2 Run the following command to create a role named vmimport and let the AWS image import service assume this role aws iam create role role name vmimport assume role policy docum...

Page 50: ...he aws 001 ova suffix Importing the OVA for AMI conversion About this task You can use files in the JSON format that are included in the AWS configuration files artifact The AWS configuration files artifact also contains single node and multi node CloudFormation template generators that you use for AWS server deployment The AWS configuration file contains the following trust policy json role polic...

Page 51: ...tTaskId parameters In the following example when the system converts the CM Simplex OVA ImportTaskId is import ami ffmanv5x Status active Description version aws 001 ova Progress 2 SnapshotDetails UserBucket S3Bucket version dev S3Key version aws 001 ova DiskImageSize 0 0 StatusMessage pending ImportTaskId import ami fftlelct 5 To check the status of the import image run the following command aws ...

Page 52: ... the configuration files to your computer Extract the two CloudFormation generator HTML files from the compressed file Procedure To create a single node CloudFormation template do the following 1 In your web browser run the template generator by opening the Single Node Cloud Template Gen html file 2 In Product select the required application and profile size 3 Click Generate template 4 Save the fi...

Page 53: ...ecurity Groups Generate a single node CloudFormation template Ensure that you have network access to the Amazon VPC before deploying an AMI Procedure 1 Sign in to the AWS console and navigate to Services Management Tools CloudFormation CloudFormation is an AWS service used to create a stack A stack is a graph of objects such as EC2 instances and EBS volumes inside the Amazon cloud CloudFormation i...

Page 54: ... and Enter role arn 16 Click Next 17 On the Review page confirm the stack information 18 Click Create to create the stack The system displays the Stacks page which shows the stack creation status 19 Wait until the status displays CREATE_COMPLETE You can monitor the status of the stack creation and review the properties using the tabs at the bottom of the Stacks page 20 Click the Resources tab 21 C...

Page 55: ...is the service FQDN of the cluster This domain name portion of the FQDN represents the domain name that clients use to access service The FQDN must be the combination of the stack name followed by the domain For example if the stack name is yourStack and the domain is your domain com then the FQDN is yourStack your domain com Note The stack name must start with a letter and must contain only lette...

Page 56: ...e BEGIN and END labels for each section that you paste into the form a In the Private Key section copy the string from BEGIN PRIVATE KEY to END PRIVATE KEY and paste it into the Certificate private key field b In the Certificate section copy the first certificate string from BEGIN CERTIFICATE to END CERTIFICATE and paste it into the Certificate body field c In the Certificate section copy the seco...

Page 57: ...ocedure Procedure 1 Sign in to the Amazon Web Services Management console 2 Navigate to Services Management Tools CloudFormation 3 Click Create Stack The AWS EC2 Management console displays the first page of the Create stack wizard 4 On the Select Template page in the Choose a template area click Choose File 5 Select the multi node yaml CloudFormation template file that you generated 6 Click Next ...

Page 58: ...area select SSH key for administrator login 14 Copy the ARN saved in the Details section and paste it into the Load balancer certificate ARN field For information on copying the ARN see Creating and applying load balancer certificates on page 55 15 Click Next The system displays the Options page 16 Optional In the Tags area add tags to help you find and organize your AWS objects 17 In the Permissi...

Page 59: ...ervers deployed in AWS are contained within a Virtual Private Cloud VPC End user clients are present within a separate network but require access to the servers in AWS You must create a VPN to enable client access You must configure VPN gateways at both ends of the tunnel The address range assigned to the VPC must route to the gateway on your side of the tunnel Within AWS the address range that cl...

Page 60: ... column select an AWS side gateway that can reach the destination 16 Click Save Configuring on premise DNS resolution of VPC addresses About this task This configuration allows on premise clients to access the servers hosted in the AWS VPC Use this procedure to configure your local on premise DNS server with a new DNS forwarding zone so that client DNS resolution requests are forwarded to a DNS se...

Page 61: ...upports this feature This feature causes resolution requests for the zone to be forwarded to the VPC DNS server before attempting to resolve them locally 4 Enable the DNS server changes by reloading the configuration or restarting the DNS server 5 Verify that the DNS resolution completes by performing a lookup of the test FQDN using a DNS resolution utility such as nslookup or dig For example you ...

Page 62: ... the license agreement c When prompted type yes to accept the license agreement 2 Enter a password for the system administrator 3 To configure the NTP servers do one of the following Press Enter to accept the default Amazon NTP time servers Enter one or more comma separated NTP server IP addresses or FQDNs and then press Enter Important The NTP servers that you configure must be reachable from thi...

Page 63: ...Web Gateway Before you begin Open the Linux shell using the Linux administrator account credentials Procedure 1 To remove the Avaya Aura Web Gateway from the system run the following command app uninstall 2 When prompted type the following a uninstall and press Enter b yes and press Enter Uninstalling the Avaya Aura Web Gateway October 2018 Deploying the Avaya Aura Web Gateway 63 Comments on this ...

Page 64: ...yment process 2 To install the Avaya Aura Web Gateway run the following command app install When you run the app install command without specifying a build then the system automatically picks up the current build in opt Avaya If you do specify a build by running app install csa version bin then the system looks for that build first in your current working directory and then in opt Avaya The system...

Page 65: ...at signs the certificates for Avaya Aura Web Gateway services c Optional Select System Manager web admin username o and System Manager web admin password and provide the credentials d Select System Manager HTTPS Port and type the port for contacting the REST interface of Avaya Aura System Manager The default port is 443 e Select System Manager Enrollment Password and type the Avaya Aura System Man...

Page 66: ... cluster an external load balancer is recommended for clusters with four or more nodes For a cluster deployment that uses an external load balancer you must configure Front end IP or FQDN as the FQDN corresponding to the external load balancer If you use an external load balancer do not configure the virtual IP settings that enable the internal load balancer a Select Clustering Configuration Virtu...

Page 67: ...settings Note The properties file does not contain settings for the following elements The Avaya Aura Web Gateway cluster The SSH RSA configuration You must configure these settings using the configuration utility after the silent installation is complete If errors occur after the installation you can use the configuration utility to re configure some of the settings Procedure 1 From the Avaya Aur...

Page 68: ...ortant You cannot configure backup nodes using the standard interactive installation process Specify backup nodes in the SEED_NODE_BACKUP property of the installation properties file The value of this parameter is a list of IP addresses separated by commas For example SEED_NODE_BACKUP 192 168 150 3 192 168 150 4 If the seed node is unavailable Cassandra tries to replace it with a node listed in SE...

Page 69: ...the deployment process 2 To install the Avaya Aura Web Gateway run the following command app install When you run the app install command without specifying a build then the system automatically picks up the current build in opt Avaya If you do specify a build by running app install csa version bin then the system looks for that build first in your current working directory and then in opt Avaya T...

Page 70: ... the local keystore The keystore password on additional nodes should match the keystore password for the initial node Important You must remember the keystore password for future reference You need this password for other certificate management tasks f Configure additional settings that are required for your system as described in Front end host System Manager and certificate configuration on page...

Page 71: ...nfigure all of the Virtual IP settings as described in Virtual IP configuration options on page 91 Important You must use the same Virtual IP authentication password that you set on the initial node of the cluster d To save the changes on the system select Apply and then select Continue e Select Return to Main Menu and press Enter 11 To apply the changes from the main menu select Continue and then...

Page 72: ...generating keys for the first time or if you need to generate keys for a new node in the cluster Otherwise enter n no 5 If you chose to update the node list in the previous step when the system prompts you enter the IP address of the non seed node in the cluster you want to generate keys for and then press Enter 6 Repeat the previous step for all remaining non seed nodes 7 When the system prompts ...

Page 73: ...ystem Manager and Certificate Configuration option during the installation then the self signed certificates are automatically generated Self signed certificates are also generated when The System Manager FQDN option is not set The Use System Manager for certificates option is set to n and certificates were not provided for one of the interfaces REST OAMP SIP or NODE You can modify certificate con...

Page 74: ...tem Manager web administration portal password SMGR_USER_PASSWORD System Manager HTTPS Port The HTTPS port used for the Alarm Agent for the current Avaya Aura Web Gateway server The default value for this setting is 443 SYSTEM_MGR_HTTPS_PORT System Manager Enrollment Password The Avaya Aura System Manager enrollment password Note To get the password log in to System Manager and navigate to Service...

Page 75: ...g Avaya Session Border Controller for Enterprise Note You can also set this port on the Avaya Aura Web Gateway administration portal under External Access HTTP Reverse Proxy After selecting the Front end port for remote access check box you can modify the port value Use System Manager for certificates Specifies if the certificates are retrieved from Avaya Aura System Manager or from imported files...

Page 76: ...nfiguration utility uses this value to generate certificates for the node Important In a clustered configuration the Local frontend host is different from one node to the other and is also different from the Front end FQDN LOCAL_FRONTEND_HOST Keystore password The keystore password for the MSS and Tomcat certificates The minimum length for this password is 6 characters The characters supported for...

Page 77: ...er Load LDAP properties from file The Load LDAP properties from file menu contains an item called Path to properties file You can create a Java properties file that contains the LDAP properties instead of entering the LDAP configuration settings manually The Path to properties file option is for configuring the absolute path to this file The LDAP properties file must contain the equivalent propert...

Page 78: ... see https www 10 lotus com ldd dominowiki nsf dx IBM_Domino_TLS_1 0 Novell e Directory 8 8 OpenLDAP 2 4 Oracle Directory Server Enterprise Edition 11g Release 1 11 1 1 7 0 For detailed information about supported product releases see the Avaya Compatibility Matrix ldapType URL for LDAP server The URL for gaining access to the LDAP server This is a mandatory setting The URL must have the following...

Page 79: ...ver that is offline If this outcome cannot be tolerated a more reliable load balancing mechanism such as a dedicated load balancer in front of the LDAP servers will be needed For Active Directory use the Global Catalog service port instead of the default LDAP LDAPS ports Bind DN The Distinguished Name DN of the user that has read and search permissions for the LDAP server users and roles This is a...

Page 80: ...P server For example sAMAccountName uidAttrID Base Context DN The DN of the context used for LDAP authentication For example ou csasusers dc example dc com baseCtxDN Administrator Role The list of LDAP roles that match the Avaya Aura Web Gateway Administrator role For example If the role is configured as CSAAdmin CSAxyz any user whose list of roles contains CSAAdmin or CSAxyz is mapped to the Avay...

Page 81: ...n roles So they must match exactly to the role name found for a user in order for the mapping of the LDAP roles to the Avaya Aura Web Gateway application roles to succeed securityAdminRole Auditor Role The list of LDAP roles that match the Avaya Aura Web Gateway Auditor role For example If the Auditor role is configured as CSAAuditor CSAxyz any user whose list of roles contains the CSAAuditor or C...

Page 82: ... Services Administrator Role The list of LDAP roles that match the Services Administrator role For example If the User role is configured as CSAUser CSAxyz any user whose list of roles contains the CSAUser or CSAxyz role is mapped to the Avaya Aura Web Gateway Services Administrator role Note The values of the roles are case sensitive when they are mapped to the application roles So they must matc...

Page 83: ...tion is used to validate the following LDAP settings Verifies that the user is searchable with a given base DN and search filter Lists the group to which the user belongs user administrator or auditor Validates the values for Role Attribute ID and Role Name Attribute Verifies the Last Updated Time attribute role filter syntax and active users search filter syntax The configuration is not saved if ...

Page 84: ...Of roleAttrID Roles Context DN The Roles Context DN to use for searching roles The roles search in LDAP is performed by using the Roles Context DN in combination with the Role Filter For example ou csasusers dc example d c com rolesCtxDN Role Name Attribute This parameter has a different meaning depending on the value of RoleAttributeIsDN If RoleAttributeIsDN is true the value of the attribute set...

Page 85: ...on Allow Empty Passwords true false The setting to determine if empty passwords are allowed in the LDAP directory allowEmptyPasswords Search Scope 0 2 The setting to determine the scope of the role search The role search starts from the Role Context DN and uses the Role Filter The search scope determines the depth of the search as follows Level 0 also named OBJECT_SCOPE indicates that the search i...

Page 86: ...od of determining whether a user is active this setting must contain the attribute that determines if a user is active If this setting is not configured the User Management component handles all the users as active users For example objectClass user objectCategory Person userAccountControl 1 2 840 113556 1 4 803 2 activeUsersFilter Last updated time attribute The attribute indicating the last time...

Page 87: ... in the authentication and authorization domain and in the other LDAPs used for search As of Release 3 4 the multiple authentication and authorization feature removes the requirement for a single domain for authentication and authorization and facilitates the following deployments A single LDAP infrastructure belonging to a single organization with multiple configured domains Two distinct LDAP inf...

Page 88: ...ya Aura Web Gateway configuration utility using the app configure command 2 Select LDAP Configuration Advanced LDAP parameters 3 Configure the parameter settings as described in Parameter settings on page 88 4 Configure the attributes as described in Role configuration on page 90 LDAP parameter descriptions Parameter settings The following table describes the parameter settings according to the se...

Page 89: ...ich the user belongs to CN This contains the group s name e g AAWGAdmin etc Role Attribute is DN true The memberOf values are the DNs of the group mailing list objects false The Role Attribute ID already contains the role string name Role Name Attribute CN The attribute defined by Role Name Attribute contains the group name For example AAWGAdmin Leave this empty because Role Attribute is DN is fal...

Page 90: ...application role AAWGAdmin User Role This role specifies the list of the role string extracted from LDAP that would be mapped to the Avaya Aura Web Gateway server USERS application role AAWGUsers Auditor Role This role specifies the list of the role string extracted from LDAP that would be mapped to the Avaya Aura Web Gateway server AUDITOR application role AAWGAuditor Service Administrator Role A...

Page 91: ...ame for the initial node The Cassandra database password for the initial node INITIAL_NODE If you configure this setting to n no you must also configure the following parameters SEED_NODE REMOTE_UID CURRENT_CASSANDRA_USER CURRENT_CASSANDRA_PASSWORD Local node IP address The IP address of the local node CLUSTER_IP_ADDR Virtual IP configuration options Option Description Equivalent installation prop...

Page 92: ...irtual IP master set this value to y yes on the initial node In addition as the second node in a cluster is usually designated the virtual IP backup set this value to n no on the second node KA_MASTER_YN Virtual IP router ID An integer with a value from 1 to 255 The value must be the same for both virtual IP master and backup The default value is 71 This value must be unique across Virtual Router ...

Page 93: ...n script Avaya recommends that you run this script to configure the firewall automatically and not perform a manual configuration Warning The firewall configuration script replaces the current configuration of the firewall on the server where you are performing the installation so you must open any other ports required for your server manually after you run this script RUN_FIREWALL_CONFIG If you s...

Page 94: ... setting must contain the path to the security banner file The security banner file is a text file that contains the security warnings displayed when a user or administrator logs in to the administration portal or using an SSH console SECURITY_BANNER_PATH Starting services using a command line About this task Use this procedure to start application services after you complete installation Procedur...

Page 95: ...cess groups properties and update the list of groups allowed to access the web administration portal as required Ensure that entries in the group list are separated by a comma The following is an example OAMP access linux groups com avaya cas access groups admin admingrp com avaya cas access groups securityadmin admingrp Users that are part of the admingrp group have access to the web administrati...

Page 96: ...al DNS configuration have a single FQDN record for example webservices company com that points to the reverse proxy or load balancer interface for external traffic For internal DNS configuration have a single FQDN record for example webservices company com that points to the reverse proxy or load balancer interface for internal traffic For a multiple FQDNs deployment configure DNS as follows For e...

Page 97: ...port to this remote access port 7 If you are configuring a geographically distributed system select the Enable use of an external load balancer check box 8 Click Save Related links Geographical distribution overview on page 14 Avaya Equinox Conferencing configuration for single FQDN deployments Configuring Avaya Equinox conference control Procedure 1 Log in to the Avaya Equinox Management web admi...

Page 98: ...nce1 company com b In IP Address enter the IP address that is resolved from the service and local FQDNs c In Public URL Branch enter Service FQDN Web Collaboration Services node prefix For example webservices company com webconference1 Note The public branch URL is used to support multiple Web Collaboration Services nodes with a single public FQDN 4 Repeat the previous steps for each Web Collabora...

Page 99: ...a Aura Web Gateway cluster Before you begin Ensure that you have administrative privileges to access System Manager For information about accessing System Manager see Administering Avaya Aura System Manager Procedure 1 On the System Manager web console click Services Inventory 2 In the left navigation pane click Manage Elements 3 On the Manage Elements page click New The system displays the New El...

Page 100: ... to verify that the Avaya Aura Web Gateway element has been added Configuring SIP Trunks for the Avaya Aura Web Gateway on System Manager About this task The Avaya Aura Web Gateway sends SIP messages to Session Manager port 5061 using TLS Use this procedure to ensure that Session Manager is configured to accept these messages Important For an Avaya Aura Web Gateway cluster repeat this procedure fo...

Page 101: ...iceability Agents for alarms on System Manager Before you begin On System Manager set up an SNMPv3 user profile from Services Inventory Manage Serviceability Agents SNMPv3 User Profiles Set up an SNMP target profile from Services Inventory Manage Serviceability Agents SNMP Target Profiles About this task To receive Avaya Aura Web Gateway alarms in System Manager you must set up Serviceability Agen...

Page 102: ...em Manager server The Media Server must be enrolled with System Manager release 7 0 1 1 or higher For more information about System Manager enrollment see Implementing and Administering Avaya Aura Media Server 2 Administer locations for all Media Server clusters a In System Manager navigate to Elements Media Server Server Administration b In each required Media Server set the location For more inf...

Page 103: ...hentication and click Save 6 Navigate to System Configuration Media Processing ICE STUN TURN Servers and select the required STUN and TURN servers Tip You can verify the network configuration when you are using Avaya Session Border Controller for Enterprise Avaya SBCE to provide the STUN TURN service The STUN TURN address and port configured on the media server must match the STUN TURN Listen IP L...

Page 104: ...e that the REST and OAMP options are not set to NONE If these options are set to NONE then the trusted host relationship between the Avaya Aura Web Gateway and Avaya Aura Device Services will not work The Avaya Aura Web Gateway will also not be able to communicate with Avaya Aura Device Services Uploading clients to the web deployment service About this task Use this procedure to upload Windows an...

Page 105: ...x platform Windows Macintosh 8 In File click Choose File and select one of the following files to upload For Avaya Equinox for Windows select the exe or msi installation file For Avaya Equinox for Mac select the zip archive containing the dmg installation files Configuring the Avaya Aura Web Gateway on Avaya Equinox Conferencing About this task If your deployment includes Conferencing use this pro...

Page 106: ...ay location assignment on the Avaya Aura Web Gateway administration portal e Click OK 3 Wait for a few minutes until the newly added User Portal Device indicator changes from gray to green Route configuration for an external load balancer Reverse proxy and load balancer need to accept external and internal connections to the Service FQDN 443 address For example conferencing avaya com 443 Usually t...

Page 107: ...DN port AAWG Node 2 FQDN port AAWG Node X FQDN port For internal requests use port 443 For external requests use port 8444 ups Avaya Aura Web Gateway csa csa uwd dist uwd dist notification notification portal portal acs AADS Node 1 FQDN 8448 AADS Node 2 FQDN 8448 AADS Node X FQDN 8448 acs Avaya Aura Device Services Route configuration for an external load balancer October 2018 Deploying the Avaya ...

Page 108: ...ation checklist Perform the tasks in this checklist to configure Avaya SBCE No Task Notes 1 Configure reverse proxy In a single FQDN for all services deployment complete the tasks outlined in Reverse proxy configuration checklist for a single FQDN deployment on page 109 In a multiple FQDN deployment complete the tasks outlined in Reverse proxy configuration checklist for a multiple FQDN deployment...

Page 109: ... external and internal traffic rules For configuring external traffic rules see Configuring external traffic rules in a single FQDN for all services deployment on page 113 For configuring internal traffic rules see Configuring internal traffic rules in a single FQDN for all services deployment on page 115 Related links Avaya Session Border Controller for Enterprise configuration checklist on page ...

Page 110: ...ave the following interfaces on Avaya SBCE One B1 interface for external traffic One A1 interface for outgoing HTTP traffic that runs to Avaya Equinox Conferencing Management Web Collaboration Services and Avaya Aura Web Gateway One A1 interface for internal enterprise HTTP traffic If you are using multiple FQDNs ensure that you have the following interfaces on Avaya SBCE One B1 interface per FQDN...

Page 111: ...le on page 141 When creating a profile use the certificate installed on the Avaya SBCE in the previous step Provide a descriptive name for the profile For example webservicesTlsProfile Related links Reverse proxy configuration checklist for a single FQDN deployment on page 109 Checklist for creating TLS server profiles for reverse proxy in a multiple FQDN deployment No Task Notes 1 Create certific...

Page 112: ... and a key on page 138 When installing certificates use descriptive names For example conferencingManagementCert for the Avaya Equinox Conferencing Management service certificate Note When installing a certificate make sure that you use the corresponding key Do not install keys of another certificates 5 Create TLS server profiles using the installed certificates See Creating a TLS server profile o...

Page 113: ...iptive name for the profile For example certificateAuthorityTlsProfile Related links Reverse proxy configuration checklist for a single FQDN deployment on page 109 Reverse proxy configuration checklist for a multiple FQDN deployment on page 109 Configuring external traffic rules in a single FQDN for all services deployment Before you begin Ensure that you have The TLS server profile for reverse pr...

Page 114: ...3 Select the Rewrite URL check box 14 Click Add at the bottom of the page to create a set of rules and configure the rules as described in External traffic rules for a single FQDN deployment on page 114 15 Click Finish Related links External traffic rules for a single FQDN deployment on page 114 Reverse proxy configuration checklist for a single FQDN deployment on page 109 External traffic rules f...

Page 115: ...FQDN 8444 uwd dist uwd dist Avaya Aura Web Gateway Virtual IP FQDN 8444 notifica tion notifica tion Avaya Aura Web GatewayVirtual IP FQDN 8444 portal portal Configuring internal traffic rules in a single FQDN for all services deployment Before you begin Ensure that you have The TLS server profile for reverse proxy For more information see the TLS server profile creation tasks outlined in Checklist...

Page 116: ... traffic rules for a single FQDN deployment on page 116 15 Click Finish Related links Internal traffic rules for a single FQDN deployment on page 116 Reverse proxy configuration checklist for a single FQDN deployment on page 109 Internal traffic rules for a single FQDN deployment Server Address White list URL URL replace Description Equinox Management FQDN 443 uwd rest uwd rest Equinox Conference ...

Page 117: ...s procedure for each service in your deployment For example if you have multiple Web Collaboration Services servers in your deployment you must perform this procedure for each server Before you begin Ensure that you have TLS server profiles for each service in your deployment For more information see the TLS server profile creation tasks outlined in Checklist for creating TLS server profiles for r...

Page 118: ...es for a single FQDN deployment on page 114 15 Click Finish Related links External traffic rules in a multiple FQDN deployment on page 118 Reverse proxy configuration checklist for a multiple FQDN deployment on page 109 External traffic rules in a multiple FQDN deployment Traffic rules for Avaya Equinox Conferencing Management Server Address White list URL URL replace Description Equinox Managemen...

Page 119: ...ewall External client access configuration checklist Perform the tasks outlined in this checklist if you are planning to use any external clients including WebRTC mobile or desktop clients outside the enterprise firewall No Task Notes 1 Create a server TLS profile for a management interface See Checklist for creation of a TLS server profile for a management interface on page 120 2 Configure Avaya ...

Page 120: ...n Name use the management interface FQDN For example asbce_management company com For Subject Alternative Name provide both the FQDN and IP address of the management interface For example DNS asbce_management company com IP 10 10 10 10 2 Download and save created KEY and CSR files 3 Send the CSR file to the System Manager CA for signing See Signing certificates with the System Manager CA on page 1...

Page 121: ...cklist for creation of a TLS server profile for a management interface on page 120 Procedure 1 Log in to the Avaya SBCE web administration portal 2 Navigate to Device Specific Settings Advanced Options Load Monitoring 3 Click Add to create a new monitoring profile 4 In Load Balancer Type select INTERNAL This is the load balancer on the A1 side of the network Avaya Aura Web Gateway performs load ba...

Page 122: ...ura Web Gateway For more information see External native clients media configuration on page 128 4 In IP Port enter 5061 5 In SIP Protocol select TLS 6 In HTTP Address type the internal Avaya SBCE FQDN specified for the load monitoring entry For example asbce_management company com 7 In HTTP Port enter 443 8 In HTTP Protocol select https 9 In Location specify the location of the Avaya SBCE server ...

Page 123: ...ic IP addresses of the STUN TURN interface The IP address of the external B1 interface The firewall NAT public IP address of the external B1 interface For more information about the B1 interface see WebRTC client side TURN configuration on page 124 d In Port enter 3478 e In Internal SIP IP type the FQDN or IP address of the internal A1 interface of the Avaya SBCE that is used for SIP signaling For...

Page 124: ...nfigure firewall rules See Firewall configuration on page 125 4 Configure a TURN STUN profile for WebRTC calls on Avaya SBCE See Configuring a TURN STUN profile for WebRTC calls on Avaya Session Border Controller for Enterprise on page 126 5 Configure the TURN relay service for WebRTC calls on Avaya SBCE See Configuring the TURN relay service for WebRTC calls on Avaya Session Border Controller for...

Page 125: ...on page 138 When installing the certificate use a descriptive name For example turnmediaCert 5 Create a TLS server profile using the installed certificate See Creating a TLS server profile on page 141 When creating a profile use the certificate installed on the Avaya SBCE in the previous step Provide a descriptive name for the profile For example turnmediaTlsProfile Firewall configuration External...

Page 126: ...N STUN profile for WebRTC calls on Avaya Session Border Controller for Enterprise Procedure 1 Log in to the Avaya SBCE web administration interface 2 Navigate to Device Specific Settings TURN STUN Service 3 From the Application pane select the Avaya SBCE device for which the new TURN STUN profile will be created 4 Click TURN STUN Profiles 5 Click Add The system displays the Add TURN STUN Profile w...

Page 127: ...n IP provide the listen IP address of the TURN server from the B1 interface Important Do not use this IP address for any other interface bound to port 443 7 In Media Relay provide the media relay IP address of the TURN server from the internal A1 interface that you used for load monitoring 8 In Service FQDN provide the FQDN that resolves to the address specified in the Listen IP field For example ...

Page 128: ...list if you are planning to use Avaya Equinox mobile and desktop clients outside of your enterprise firewall No Task TLS server profile required for SIP communications with Avaya SBCE 1 Verify prerequisites See Prerequisites on page 129 1 Create a TLS server profile for required for SIP communications with Avaya SBCE See TLS server profile checklist for external native clients media configuration ...

Page 129: ...e B interface IP address on the Avaya SBCE TLS server profile checklist for external native clients media configuration Perform the following tasks to create a TLS server profile required for SIP communications with Avaya SBCE No Task Notes 1 Create a certificate signing request See Certificate setup on page 135 Use the following options For Common Name use the Equinox Management FQDN For example ...

Page 130: ... communications with Avaya SBCE No Task Notes 1 Create a certificate signing request See Certificate setup on page 135 Use the following options For Common Name use the HTTP media tunneling FQDN For example media company com For Subject Alternative Name use the HTTPS media tunneling For example DNS media company com 2 Download and save the created KEY and CSR files 3 Send the CSR file to a public ...

Page 131: ...he internet to Avaya SBCE on the B interface This option is only required if you are using direct RTP media Internal firewall rules Port Protocol Description 35000 to 40000 UDP For UDP media from Avaya SBCE For media traffic that runs from the A interface of Avaya SBCE to the MCU 7K and MCU 6K servers 12000 to 13200 UDP For UDP media from media services For media traffic that runs from MCU 7K serv...

Page 132: ...ield blank 7 Leave the UDP Port field blank 8 In TLS Port enter 5061 9 In TLS Profile select the TLS server profile created for SIP signaling For example conferencingManagementSipTlsProfile For more information see TLS server profile checklist for external native clients media configuration on page 129 10 Click Finish Configuring the Avaya Session Border Controller for Enterprise media interface A...

Page 133: ...ate to Device Specific Settings Media Interface and then click Add b In Name provide a name for the media interface For example internalMediaInterfaceProfile c From IP Address select the A1 IP address 6 To enable video media do the following a Navigate to Domain Policies Application Rules and then clone an existing media rule or create a new one b For the new application rule select In and Out for...

Page 134: ...en click Add b From Sever Type select Trunk Server c Leave SIP domain blank d From TLS Client Profile select the TLS client profile that you created when you configured a certificate authority for reverse proxy e Add the Avaya Equinox Management FQDN with port 5061 and the TLS protocol specified f In the Advanced Options section select the Enable Grooming check box and then select the previously c...

Page 135: ...ettings End Point Flows Server Flows and then select Add b In Flow Name provide a name for the flow For example AAWGFlow c From Server Configuration select the Avaya Aura Web Gateway configuration that you created in step 4 d From Received Interface select the internal A1 interface e From Signaling Interface select the internal A1 interface f From Media Interface select the external B1 interface g...

Page 136: ...on Repudiation or Digital Signature j Extended Key Usage Select Server Authentication and Client Authentication k Subject Alt Name Provide information FQDNs or IP addresses that must be included into the certificate Use the following format DNS FQDN IP IP address You can specify multiple FQDNs or IP addresses l Passphrase Proivde the password used when encrypting the private key m Confirm Passphra...

Page 137: ... c In Status select New and enter the password d Continue performing the procedure from the following step 6 Configure the end entity fields as follows a Subject DN CN FQDN of the server interface that provides TLS support b Subject Alternative Name For DNS name enter the FQDN of the server interface that provides TLS support and for IP Address enter the UP address of the IP requiring TLS support ...

Page 138: ...nt to install This field is optional If you do not provide a name then the file name of the uploaded certificate file will be used as the certificate name Note If you provide a name that matches the name of one of installed certificates the system replaces that certificate with the certificate that you are installing c Override Existing Select if you can install a certificate with the name that ma...

Page 139: ...n is displayed when you select Upload Key File in the Key field 6 Click Upload 7 Log in to Avaya SBCE as root using an SSH connection The port is 222 Use the ipcs user name and password 8 Navigate to the usr local ipcs cert key directory 9 Run the enc_key filename passphrase command In this command filename is the name of the encryption key file and passphrase is the passphrase you used while gene...

Page 140: ...Log in to the Avaya SBCE web administration portal 5 Navigate to TLS Management Certificates 6 Select Install 7 Complete the following fields a Type Select CA Certificate b Name Enter a name for the certificate If you have not downloaded the Private Key you must type the name you provided in the Common Name field while generating CSR If you have downloaded the Private Key you can type any name for...

Page 141: ...edure 1 Log in to the Avaya SBCE web administration portal 2 Navigate to TLS Management Client Profiles 3 Click Add 4 In Profile Name enter a name for the profile 5 In Certificate select the installed CA certificate that you want to associate with the profile 6 Complete the remaining fields as required and then click Next 7 Select the required TLS versions and then click Finish The system displays...

Page 142: ...least one IP address associated with it External interface B1 with at least one IP address associated with it Avaya Session Border Controller for Enterprise configuration October 2018 Deploying the Avaya Aura Web Gateway 142 Comments on this document infodev avaya com ...

Page 143: ... Avaya Aura Communication Manager What s New in Avaya Aura Release 7 1 Understand the new and enhanced features of Avaya Aura components Contractors Employees Channel associates Sales services and support personnel Avaya Business Partners Using Avaya Scopia Desktop Client User Guide Use the Avaya Scopia desktop client This document also provides usage information for the user portal End users Depl...

Page 144: ...Manager Administering Avaya Session Border Controller for Enterprise Perform configuration system administration and troubleshooting tasks in Avaya Aura Session Border Controller Implementing and Administering Avaya Aura Media Server Perform configuration system administration and troubleshooting tasks in Avaya Aura Media Server Finding documents on the Avaya Support website Procedure 1 Navigate t...

Page 145: ...s or the entire document Add content to your collection using My Docs From the My Content My Docs menu you can Create rename and delete a collection Add content from various documents to a collection Save a PDF of selected content in a collection and download it to your computer Share content in a collection with others through email Receive content that others have shared with you Add yourself as...

Page 146: ...e and on the Avaya run channel on YouTube Procedure To find videos on the Avaya Support website go to http support avaya com and perform one of the following actions In Search type Avaya Mentor Videos to see a list of the available videos In Search type the product name On the Search Results page select Video in the Content Type column on the left To find the Avaya Mentor videos on YouTube go to w...

Page 147: ...ation Information about training and certification programs Links to other pertinent information If you are an authorized Avaya Partner or a current Avaya customer with a support contract you can access the Knowledge Base without extra cost You must have a login account and a valid Sold To number Use the Avaya InSite Knowledge Base for any potential solutions to problems 1 Go to http www avaya com...

Page 148: ...t from the web administration portal when possible Generating Certificate Signing Requests About this task Use this procedure to generate a Certificate Signing Request CSR Important You must use this procedure if you are not using System Manager as the only Certificate Authority CA to sign certificates for all solution components Before you begin Ensure that Avaya Aura Web Gateway is successfully ...

Page 149: ...t or sub organization For example Design locality The name of the city or town state The two digit state or province code countryCode The two digit country code emailAddress The administrator email address 4 Verify that opt Avaya AAWGportalCerts contains the key and csr files for front end node OAMP and SIP Only the frontEnd csr and frontEnd key files are used You can ignore the sip oamp node csr ...

Page 150: ...g your Linux administrator account credentials The Linux administrator account is created during the deployment process 2 To open the Avaya Aura Web Gateway configuration utility run the following command app configure 3 Select Front end host System Manager and Certificate Configuration 4 Select Use System Manager for Certificates and then select No 5 Select the following options type the file pat...

Page 151: ...ertificate because that was already added during the initial installation Procedure 1 Run the following command to open the configuration utility app configure 2 Select Add a Certificate to the TrustStore 3 To add a certificate select Certificate file and specify the path to the file 4 Select Apply If the provided file contains certificate chain then all certificates will be added to the truststor...

Page 152: ...st_file csr specifies a CSR file name CSR_key_file key specifies a file containing a private key that is used to add the signed certificate to the system configuration_file specifies the OpenSSL configuration file that was created in the previous step For example openssl req out createCSR csr newkey rsa 2048 nodes keyout keyCSR key config configCSR config Signing identity certificates for Avaya Au...

Page 153: ...om the certification authority If these certificates are not in the PEM format you can convert these certificates using the OpenSSL tool Generate the identity certificate chain Procedure 1 Log on to Avaya Aura Web Gateway using your SSH credentials 2 Go to opt Avaya CallSignallingAgent version CAS version nginx certs 3 Run the following command sudo cat rootCA pem auth_ca crt In this command is us...

Page 154: ...15 Click Apply Configuring System Manager to trust third party root CA certificates Procedure 1 Log on to the System Manager web console 2 Click Home Services Inventory Manage Elements 3 Select System Manager from the Elements 4 Click Configure Trusted Certificates in the More Actions list 5 Click Add and select Import from file 6 Click Choose File and browse to the third party root CA certificate...

Page 155: ...on name The user ID you provide must use the same format that you used for the UID Attribute ID field on the LDAP Configuration tab d Set Certificate Profile to ENDUSER e Click Add A new end entity with the specified user name is created on the System Manager web console 5 In the left navigation pane click the Public Web tab and complete the following settings a In Username and Enrollment code typ...

Page 156: ...ns Advanced Certificates View Certificates 2 Click Import to import the certificate to your browser When prompted for a password enter the same password that was used in the openssl command to convert the pem file to a pfx p12 file Tip To override the certificate authentication in the SSH console set com avaya cas common certificateauth to 0 as shown in the following image CATALINA_OPTS CATALINA_O...

Page 157: ... certificates to be signed or issued by a trusted Certificate Authority CA REQUIRED Ensures that the clients present a valid certificate that is signed or issued by a trusted CA to establish a secure HTTP connection with the Avaya Aura Web Gateway Creating a client certificate October 2018 Deploying the Avaya Aura Web Gateway 157 Comments on this document infodev avaya com ...

Page 158: ...h a secure channel between a local and a remote computer SSH uses public key cryptography to mutually authenticate a user and a remote computer SSH uses encryption and message authentication codes to protect the confidentiality and integrity of the data that is exchanged between the two computers Simple Network Management Protocol SNMP A protocol for managing devices on IP networks SSL Secure Sock...

Page 159: ...ity configuring for reverse proxy 113 certificate signing requests 151 certificate signing requests continued generating 148 checklist AWS deployment 42 configuring reverse proxy 109 external client access configuration 119 external native clients media configuration 128 planning 23 reverse proxy configuration multiple FQDNs deployment 109 single FQDN deployment 109 VMware deployment 42 WebRTC cli...

Page 160: ...eployment Manager 45 using vSphere 44 vCenter 43 deployment Amazon Web Services 47 AWS 42 VMware 42 43 deployment models configuration requirements 20 deployment process 20 descriptions LDAP parameter 88 diagram solution architecture 12 topology 12 disk partitioning 39 DNS configuration 96 documentation portal 145 finding content 145 navigation 145 document changes 9 E Equinox conference control c...

Page 161: ...on 23 prerequisites certificates 25 FQDN 25 IP addresses 25 R related documentation 143 replacing seed node 68 required skills and knowledge 25 requirements configuration requirements for deployment models 20 external load balancer 40 resource profile specifications 37 reverse proxy configuring certificate authority 113 configuring external traffic rules multiple FQDNs deployment 117 single FQDN d...

Page 162: ...a 129 for media tunneling interface 130 for reverse proxy 110 111 topology diagram 12 geo distribution topology diagram 14 training 146 TURN client side configuration 124 TURN for a WebRTC client configuring 128 U uninstall Avaya Aura Web Gateway 63 uploading Avaya Equinox clients to AADS 104 OVAs 50 using alias 27 utility installer certificate configuration 73 front end host 73 V vCenter 43 video...