Configuring the Mediation Server
Topic Last Modified: 2009-11-16
A Mediation Server mediates signaling and media between the Enterprise Voice infrastructure and another gateway, such as a media gateway. A media gateway translates signaling and media between the PSTN or PBX and Office Communications Server Directors and Front End Servers.
The existence of media gateways in an Office Communications Server 2007 R2 network creates a potential security loophole. Because these gateways do not support Managed Key Infrastructure (MKI), Transport Layer Security (TLS), or Secure Real-Time Transport Protocol (SRTP), they cannot be trusted. To help ensure the physical as well as logical separation of the Enterprise Voice infrastructure from the media gateways, the Mediation Server is generally installed on a computer that has two network adapters:
- A network adapter facing the Office Communications Server 2007 R2 proxy that acts as the Mediation Server’s internal next hop. This adapter on the internal edge of the Mediation Server accepts traffic only from the internal network and uses a unique IP address (called “IP1” in this example).
- A network adapter facing the gateway. This adapter on the external edge of the Mediation Server accepts traffic from a media gateway and uses a unique IP address (called “IP2” in this example).
Each network adapter is configured with a separate listening address so that there is always clear separation between trusted traffic that originates in the Office Communications Server network and untrusted traffic from the public switched telephone network (PSTN).
IP addresses IP1 and IP2 must be located in different subnets and routable networks. The Domain Name System (DNS) query from the internal network (that is, on the proxy side) must resolve the Mediation Server fully qualified domain name (FQDN) to IP1. The DNS query or static configuration from the external network (that is, on the gateway side) must resolve the Mediation Server FQDN to IP2. IP2 must not be reachable from any Office Communications Server entities, including any entities on the subnet of which IP1 is a part. It should be reachable only from the gateway listening IP address. Similarly, IP1 must not be reachable from any gateway-side entities, including any entities on the subnet of which IP2 is a part.. It should be reachable only from Office Communications Server entities.
If the two network adapters cannot by separated in the manner described above, a single network adapter and IP address must be used to connect to the Mediation Server. You must use Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) in this topology.
A Mediation Server must be able to pass SIP requests and media between the Enterprise Voice infrastructure and a media gateway connected to the PSTN. Media flowing both directions between the Mediation Server and the Office Communications Server network is encrypted by using SRTP. Organizations that rely on Internet Protocol security (IPsec) for packet security are strongly advised to create an exception on a small media port range if they plan to deploy Enterprise Voice. The security negotiations required by IPsec work well for normal User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) connections, but they can slow down call setup to unacceptable levels.
Network settings for the Mediation Server include the following:
- The FQDN of the Mediation Server.
- The Office Communications Server listening IP address. The internal edge of a Mediation Server should be configured to correspond to a unique static route that is described by an IP address and a port number. The default port is 5061. The Office Communications Server listening IP address is the address on an advanced media gateway that listens for call traffic from Office Communications Server. If no advanced media gateways are available, this address corresponds to the network adapter that serves as the internal edge of the Mediation Server. The IP address that you select from the Office Communications Server listening IP address must match the address that is returned by a DNS query on the Mediation Server’s FQDN. If the two addresses do not match the IP address listed in DNS for your FQDN, you cannot connect, and call traffic is not directed to an interface that listens for Office Communications Server traffic.
- The gateway listening IP address. The external edge of a Mediation Server should be configured as the internal next hop proxy for the media gateway. The default port is 5060. It should be identified by a unique combination of IP address and port number. The IP address should not be the same as that of the internal edge. The gateway listening IP address is the address on the Mediation Server that listens for traffic from a basic media gateway or Basic Hybrid Media Gateway. This address corresponds to the network adapter that serves as the external edge of the Mediation Server.
- The name of the A/V Edge Server that is to provide A/V authentication for the Mediation Server.
- The default location profile to be used by the Mediation Server.
- The port range for media exchange. This range can be between 49152 and 65535, but we recommend that you use the default media port range, which is 60000 to 64000. This is because of the following:
- High-bandwidth traffic such as voice and video tends to stress poorly provisioned networks, and reducing the port range below the recommended range greatly reduces server capacity.
- Limiting media traffic to a known range of ports makes troubleshooting bandwidth problems easier.
For basic media gateways, the bandwidth requirement between gateway and Mediation Server is 64,000 bits per second (bps) per concurrent call. Multiplying this number by the number of ports for each gateway is a fair estimate of the required bandwidth on the gateway side of the Mediation Server. On the Office Communications Server side, the bandwidth requirement is considerably lower. The default media port range enables the server to handle up to 1,000 simultaneous voice calls. Reducing the port range greatly reduces server capacity. Changing the port range should be undertaken only for specific reasons by an administrator who is knowledgeable about media port requirements and scenarios.
- The FQDN and TLS port of the internal Office Communications Server next hop server used by this Mediation Server.
- The FQDN and TCP port of the media (PSTN) gateway used by this Mediation Server.
A Mediation Server also requires a certificate, which must be assigned to the Mediation Server.
All of the settings in the previous list except the FQDN of the Mediation Server can be configured in the Office Communications Server 2007 R2 snap-in. Changes to any of these settings except the default location profile, the A/V Edge Server, the media port range, and the certificate take effect only after you restart the Office Communications Server Mediation service. Changes to the default location profile and A/V Edge Server take effect only after Active Directory replication completes.
To configure a Mediation Server
To configure the Mediation Server, use the information in this topic and the following procedure.
Log on to an Office Communications Server 2007 R2 Mediation Server.
Click Start, point to Administrative Tools, and then click Office Communications Server 2007.
Expand the appropriate forest node.
Expand the Mediation Servers node, right-click the Mediation Server to be configured, click Properties, and then click the General tab.
In the FQDN box, make sure the FQDN listed matches that of the Mediation Server you have selected.
Open a command prompt, change to the root directory, and type nslookup <FQDN of Mediation Server>, using the FQDN displayed on the Mediation Server General tab, and then press ENTER.
You should configure only the Office Communications Server-facing IP address for dynamic Domain Name System (DNS) registration. Otherwise, the FQDN resolves to both IP addresses, which causes connections to fail unpredictably.
From the list of IP addresses displayed in the Communications Server listening IP address list, select the IP address returned in step 6.
If the IP address selected in step 7 does not match the IP address in step 6, Office Communications Server traffic is directed toward an interface that is not listening for such traffic and away from the one that is.
From the list of two IP addresses displayed in the Gateway listening IP address list, select the other IP address (that is, the one not already selected in step 7).
The address selected in step 8 can be that of either a media gateway or a Private Branch Exchange (PBX).
In the Port box, accept the default value of 5060 for TCP.
From the A/V Edge Server list, select the A/V Edge Server that hosts the A/V Authentication Service for this Mediation Server.
If the A/V Edge Server that hosts the A/V Authentication service for this Mediation Server does not appear in the list, then the A/V Edge Server on which the service is collocated has not been entered into the A/V Edge Servers list on the Edge Servers tab of the Global Properties page. You need to add the A/V Edge Server to the previous list before it appears in the A/V Edge Server list on the Mediation Server tab. For details, see the Office Communications Server 2007 R2 Edge Server Deployment Guide documentation.
In the Default location profile list, select the default location profile for this Mediation Server.
In Media port range, accept the default range of 60,000 to 64,000.
By reducing the port range greatly, you reduce server capacity. An administrator who is knowledgeable about media port requirements and scenarios should do this only for specific reasons. For this reason, altering the default port range is not recommended.
Organizations that employ IPsec for packet security should disable it for media ports, because the security handshake required by IPsec delays call setup. IPsec is unnecessary for media ports, because SRTP encryption secures all media traffic between the Mediation Server and the internal Office Communications Server network.
Click the Next Hop Connections tab, and then under Office Communications Server next hop, do the following:
In the FQDN list, select the FQDN of the next hop internal server.
This server can be a Director or a pool.
In the Port box, accept the default of 5061 for TLS.
On the Next Hop Connections tab, under PSTN Gateway next hop, do the following:
- In the Address box, specify the IP address or FQDN of the PSTN Gateway or the PBX associated with this Mediation Server. If TLS is enabled, you must specify an FQDN.
- In the Transport box, click TLS if the SIP signaling between the IP Gateway and the Mediation Server is protected by TLS. If you are not using TLS, click TCP.
- In the Encryption Level box, select the level of SRTP that you want to use to protect media traffic:
- If you do not want to use SRTP, click Do not support encryption. If you clicked TCP in the Transport box, this is the only option that is available.
- To specify that SRTP must be used, click Require encryption.
- To specify that SRTP should be attempted but no encryption should be used if negotiation for SRTP is not successful, click Support encryption.
- In the Port box, accept the default of 5060 for TCP or TLS.
If you want the Mediation Server to strip the plus sign (+) prefix from the Request Uniform Resource Identifier (URI), the To URI, and the From URI of outgoing calls to the gateway, set the Windows Management Interface (WMI) setting called RemovePlusFromRequestURI to TRUE (the default value is FALSE). For details about this setting, see the "New Configuration Option in Mediation Server" section in Enterprise Voice Server-Side Components in the Planning and Architecture documentation.
If you want to enable Quality of Service (QoS) marking on the Mediation Server, set the Windows Management Interface (WMI) setting called QoSEnabled to TRUE (the default value is FALSE). For details about this setting, see the "New Configuration Option in Mediation Server" section in Enterprise Voice Server-Side Components in the Planning and Architecture documentation.