Enabling ASDM Access On Management Network

pixfirewall> enable
Password:
pixfirewall# configure terminal
pixfirewall(Config)# interface ethernet1
pixfirewall(Config-if)# nameif inside
pixfirewall(Config-if)# ip address 192.168.1.1 255.255.255.0
pixfirewall(Config-if)# no shutdown
pixfirewall(Config-if)#
Activate ASDM and enable http server.
pixfirewall(Config)# asdm image flash:/asdm.bin.
pixfirewall(Config)# http server enable.
Open a connection for your PC. Example your pc IP address is 192.168.1.2
pixfirewall(Config)# http 192.168.1.2 255.255.255.255 inside
Make sure all your config running properly.
pixfirewall(Config)# show running http
http server enabled
http 192.168.1.0 255.255.255.0 inside
pixfirewall(Config)#
Now your Cisco ASA/PIX can be access from your PC.
Make sure your PC and Firewall has connected and open your web browser then enter this address
https://192.168.1.1/admin

Converting Cisco 7912 to SIP

Converting 7940/7960 to SIP is a walk in the park compared to converting a 7912. In order to convert the phone I had to:

  • Point the phone to my tftp server and allow it to download the correct firmware. I used cp7912080000sip060111a
  • Then I found and edited the "sipexample.txt" file that came with the firmware to work with my SIP setup
  • Then I tried to run cfgfmt.exe on "sipexample.txt" but it told me that it could not find ptag.dat so I had to rename the file "sip_ptag.dat" that came with the firmware to ptag.dat for the tool to convert the text file into a binary file.
  • Finally i placed the binary file named gkMAC_ADDRESS in root of the tftp server and restarted the phone. My tftp server already had a binary copy of gkdefault.txt on it or otherwise I would have had to convert that file to binary with the tool and place it on the tftp server as well

VoIP Faxing Notes

Large fix size jitter buffer

Don't use echo cancellation

Call starts out in either g711 or g729
Then if the switch hears the cng tones and t.38 is enabled on the mediatrix box, it switches over to t.38
If you are using g729, the switch might not detect the cng tones which is why g711 is better.
The preferred Clear channel codec is only for when t.38 is disabled, and it describes what codec to then use for when cng tones are detected.
T.38 is not a call setup protocol, thus the T.38 devices need to use standard call setup protocols to negotiate the T.38 call, e.g. H.323, SIP & MGCP.
For call waiting to work the user must have the call waiting feature in broadsoft, it must be turned on and call waiting must be enabled on the mediatrix box otherwise it returns a busy signal
Faxes Have to be set to the lowest baud rate 9,600. The default for most of the newer machines is 33,600.


Step 1: Reduce baud rate to 9600 or lowest possible (probably 2400)
Step 2: Disable error correction (ECM)
Step 3: Disable bandwidth saver by dialing *99 (countrycode-areacode-number)

The call path is a little confusing (why is there an INVITE from
196.38.232.2 -> 192.168.0.14 and then an INVITE back to the latter from
the former?), but the basic problem seems to be that you the default
voice codec set to G.729A.  This would explain why "training failed."

The way that T.38 setup works - at least, in the Cisco voice gateway
world - is that the call is first established using a voice codec.  The
DSPs on the receiving gateway analyze the acoustic content of the audio
stream for fax tones and/or modem preambles ("listen").  If they are
detected, the receiving gateway issues a re-INVITE and requests a switch
to T.38 in its new SDP offer.

In order for this to happen, the frequency response of the codec must be
sufficient to reconstruct the clear-channel PCM content of the bearer
channel.  This is only possible with G.711u/A, which is little more than
a packetised form of clear-channel 8 KHz PCM that carries the 3.1 KHz
(300 Hz to 3400 Hz) bearer spectrum of a digital DS0 and/or a
modem-grade analog line.

G.729A is a codec that uses some advanced compression techniques relying
on CELP (Code Excited Linear Prediction).  Like many other compression
schemes, it also shrinks the size of the data by referring via shorthand
to elements of a waveform table/model that approximate the quantised
value of a sample, but do not EQUAL it.  It's good enough for voice that
humans don't see too much of a difference vs. clear-channel PCM, but for
any sort of scheme reliant on the encoding of digital data into the
acoustic content of the bearer, it will positively not work.

As a result, G.729A cannot be used for either the conveyance or
detection of fax tones.  You need to switch this call to G.711u or
G.711A (in Cisco, "g711ulaw" or "g711alaw") before the appropriate
exchange can take place.  Hopefully, that should be all that is
necessary to effect a switch to T.38.  Make sure the default audio codec
for the call is G.711u/A END-TO-END (in all VoIP legs), so that no
transcoding to/from G.729A occurs anywhere.

Of course, there are a variety of other issues that can be brought to
bear on this scenario, but try that and see how it plays out.  One thing
at a time.

Vlans with Linksys SRW224G4P & Non-Cisco Router

Configuring the linksys switch to work with a non-cisco router was a bit of a pain. By default, all cisco interfaces are in vlan pvid 1, the native vlan and the packets are untagged. In order to separate the voice and data on my network, I set up two vlans on my router. VlanID 2 192.168.16.x  is used for voice and VlanID 3 192.168.15.x is used for data. I then configured one of the router's four switch ports to use 802.1Q tagging and enable both vlans on that port.

Each port on the linksys switch must be in one of the following three modes. Access is the default:

General — The port belongs to VLANs, and each VLAN is user-defined as tagged or
untagged (full 802.1Q mode).
– Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the
packet types which are accepted on the port (packet type) cannot be designated. It is also not
possible to enable/disable ingress filtering on an access port.
– Trunk — The port belongs to VLANs in which all ports are tagged (except for an optional
single native VLAN).

To get the switch to work with my router, I first created two vlans to match those on my router.   I then made vlan 3 the management vlan for the switch and gave it an address on the 192.168.15.x network. I then designated port 24 (although you can use any port) to be my trunk port between the linksys switch and my router and to the switch to tag both vlans across that port. I then set the pvid to all of the other ports (1-23) to be 3. The PVID is the default vlan for which vlan traffic will be untagged on the port. Finally I set ports 1-23 to be in general mode, told them to exclude vlan 1, tag vlan 2, and leave vlan 3 untagged.

I then configured my phones to use vlan2 and gave them a 192.168.16.x address. Now any port on the linksys can be used for a phone or a computer, and the pc port on the back of cisco 7940's will also work.

In retrospect I realize I could have only created one additional vlan on the linksys switch and used the native vlan as my data vlan but this took me a little bit of playing around with to find where to configure everything in the gui, and it wasn't worth changing when I got it working.

Using PHP to Access Broadworks over SOAP

First off, this topic is embarrassingly under-documented. developer.broadsoft.com was of very little help.  This document was slightly helpful in its explanation regarding the session ID, JSESSIONID  and how a unique connection relates to them but other than that it wasn't much help.  To get this to work I had to download asocisoapclient_rel14.0, figure out how to get it work, then capture its transactions with a broadworks platform using wireshark, then mimic what it did in PHP.

The asoscisoapclient is a valuable tool when attempting to get OCI over SOAP to work. Once you go through the painful process of getting it to work, you can take a capture while its executing and look at the communication between it and the webserver. To get asoscisoapclient to work i had to:
  1. Update JRE to 1.6.x
  2. Make sure the JAVA_HOME environment variable is set to something like "C:\Program Files\Java\jre6" (quotes included). This can be set by right clicking on "My Computer"->Properties->Advanced->Environemnt Variables. Look under system variables and make sure it is there. If it is not, add it. From a command line you can check to make sure it has been set properly by typing echo %JAVA_HOME% and seeing the path displayed. That path must have the java "bin" folder in it.
  3. Download asoscisoapclient
  4. Unzip it
  5. Open asoci soapclient_rel14.0\ASOCISoapClient\ociclient.config
    1. set userId
    2. set password
    3. set url to be http://theserver/webservice/services/ProvisioningService
    4. set runMode = Single
    5. set singleInputFile = input.xml
    6. set singleOutputFile = response.xml
  6.  Open a comand prompt
    1. change directory to where you unzipped the download. cd "C:\Documents and Settings\WIN_USERNAME\My Documents\Downloads\asoci
      soapclient_rel14.0\ASOCISoapClient"
    2. execute startociclient.bat ociclient.config
    3. The program will not be able to authenticate because the request it uses to login (LoginRequest) is depreciated. The LoginRequest14sp4 should now be used. I didn't bother editing and recompiling their code to make this change because I was able to see what I needed to without doing so.
    4. The program will show use the OCI commands but not the SOAP headers.

Now open wireshark, start a capture and execute the program. You should see http/xml packets go across your screen. The important thing that I learned from this is:
  1. What the soap envelope looks like. (I just copied it.)
  2. That unlike the soap envelop, the OCI command must be html encoded.
  3. HTTP POSTs must be used
  4. The server is capable of using HTTP/1.1 even though the program uses HTTP/1.0 because the server responds using the HTTP/1.1 protocol (which is important because it allows for persistent connections)
  5. The SOAPAction: "" header must be defined
Finally, to replicate this in PHP I tried and confirmed that both PEAR's Http_Request class and PHP's extension php_curl.dll will do the trick. Http_Request seemed to be a little neater while curl seemed to be a bit more configurable. I've heard that Http_Request is just a wrapper for curl although I haven't confirmed that. The important thing to remember is to use Http/1.1. If you don't and plan on ...say.. retrieving 1192 user records, your connection will close in the middle of things and you'll get only about the first 30. Another important thing to remember is that all transactions have to be done across the same connection. Just because you have a valid Session ID and JSESSIONID doesn't mean that you can drop the connection and then open up another using the same Sesseion ID and JSESSIONID and pick up where you left off. I've read that a single Session ID and JSESSIONID are valid for hours, maybe even days, so it sounds like the trick is just keeping the connection open. Finally and most importantly understand this... OCI over SOAP is very strict and rigid. The ErrorResponses often times are not helpful and in my case were down right misleading. I kept getting a response that said "REQUEST_TIMEOUT – The OCS, or the Provisioning Server through the
OCS, did not respond in a timely manner; the service may have received a RequestTimeoutException" which according to the little documentation that exists told me to "Verify that the Provisioning Server is running and
Verify that the OCS is communicating with the Provisioning Server". This sent me on a diagnostic tangent wondering if PHP was using multiple HTTP connections during a single script execution, leaving my requests that weren't on the initial connection to timeout. The real problem turned out to be a misplaced "&" in the OCI command. Somewhere in the process of html encoding and decoding the requests it got added where it shouldn't have been and caused about 3 hours of unnecessary, discouraging pain.

I will post my PHP class for accessing the broadworks platform when I finish it up. You can email blake.mckeeby@gmail.com and I can see if I can help although I am definitely no pro at this sort of thing.

Note:
Apparently you can put more than one OCI request inside a SOAP envelope but I haven't tried this yet. It isn't recommended to put more than 15 OCI requests in a single envelope.

Edgemarc Sip Registrion Control

 
When the phone registers it tells the server how long its registration should be good for. If you want the edgemarc to intercept and replace this value, enable and edit the "Softswitch/IP-PBX expires Overides (s)" field. The softswitch then responds to the registration expire value with either what the phone sent of what it is configured for. If you want this value to be overridden enable and edit the  "Phone Expires Override (s)" field. Finally the edgmarc prevents the softswitch from being flooded with registration attempts. The "Rate-Pacing interval (s)" determines how often the edgemarc will allow a phone's registration to be sent through it. 
Note: when the edgemarc was configured as pictued above, summit-broadband said it was seeing reregistrations every 15 seconds excatly.

Summit-broad uses the reregistrations to keep the session alive in their session border controllers.

Edgemarc Keepalive Messages

If you tell the edgemarc to send keepalive messages it sends SIP Option Request "pings" (messages that ask the Sip Server what it is capable of). Some providers like Summit Broadband don't respond to these requests unless a phone is registered. Because the service provider doesn't respond the edgemarc thinks their service is down and goes into local mode. When the edgemarc is in local mode it doesn't forward the registration requests from the phone to the provider.

Problem:
If the edgemarc is started and the "Number of missed messages to declare alarm" is reached before the phone sends the registration request, the edgemarc goes to local only mode and the edgemarc will then never leave local only mode because the service provider will not respond to the Sip Option Request "pings"

FXO Configuration on Edgemarc 4508

  • Make sure that Survivability is set to Enabled (auto) on the Survivability page and that Request Subscriber Information from SIP Server is checked
  • On the Sip GW page make sure Enable SIP FXO/Line services is checked and Enable FXO port is checked for both port 1 and port 2
  • Finally on the VoIP Alg -> Sip -> Trunking page make sure there is an "Internal Sip Gateway" listed under the Sip Trunking Devices on the same network as the other VoIP devices and the Alg. Also make sure there is a Default Route routing all inbound calls to the Internal Gateway

Setup Mysql Replication

First it is probably a good idea to make sure the two servers are the same version with the exact same configuration (including global variables configured the same). The first time I set this up I did not, and I think it ended up causing me a lot of trouble because by default in a windows mysql server installation "lower_case_table_names=1" and by default in a linux mysql server installation "lower_case_table_names=0". From the mysql webiste:
By default, table aliases are case sensitive on Unix, but not so on Windows or Mac OS X.
Thus when I setup tables in my windows mysql server (master) I carelessly named them using CamelCase. I then did a dump of all the databases and loaded them into the linux mysql installation (slave). The dump did not preserve the casing I used when i originally created the tables and thus all table names in the linux installation were lowercase. When the replication process began the windows server would write queries using the casing that was used when the tables were created. Linux, being case sensitive by default, did not accept these queries because Error 'Table '' doesn't exist.

You can check to see lower_case_table_names is  enabled by connecting to the server and typing
SHOW GLOBAL VARIABLES like 'lower%';
Since lower_case_table_names is not a dynamic variable it cannot be set from a client connected to the server. It instead must be added to the config file for mysql.
  • nano /etc/my.cnf
  • add the following under [mysqld]: set-variable = lower_case_table_names=1
  • Stop the server currently running: service mysqld restart



Getting the Installation Back in Working Order
By the time I figured this out, the replication process was so out of sync I had to start again. To clear the replication logs. I turned off the master installation on the windows machine by executing the following at the cli:
myqladmin -u root -p shutdown 
I then executed the following commands in a mysql client connected to the slave to reset the slave settings and drop any databases to prepare it to be loaded with the most recent data from the master:

STOP SLAVE;
RESET SLAVE; 
drop database [database];



I stopped the mysqld service on the slave and then restarted the mysqld service on the master. From a client connected to the master I executed the following command
RESET MASTER;

I then performed a dump on the master from the slave and loaded the information in to the slave;
mysqldump -u root -h -p --databases [list of databases separated with spaces] > db.sql
mysql -u root -p < db.sql

Finally I reconfigured the slave and started the slave:

CHANGE MASTER TO MASTER_HOST='', MASTER_USER='', MASTER_PASSWORD='';
SLAVE START;

Initial Configuration
Other than that, configuring mysql replication was pretty straight forward.
To configure the master:
create the folder C:\Program Files\MySQL\MySQL Server 6.0\replication
put the following in C:\Program Files\MySQL\MySQL Server 6.0\my.ini under [mysqld]
### START REPLICATION CONFIG  ###
server-id = 1
relay-log = "C:/Program Files/MySQL/MySQL Server 6.0/replication/mysql-relay-bin"
relay-log-index = "C:/Program Files/MySQL/MySQL Server 6.0/replication/mysql-relay-bin.index"
log-error = "C:/Program Files/MySQL/MySQL Server 6.0/replication/mysql.err"
master-info-file = "C:/Program Files/MySQL/MySQL Server 6.0/replication/mysql-master.info"
relay-log-info-file = "C:/Program Files/MySQL/MySQL Server 6.0/replication/mysql-relay-log.info"
datadir = "C:/Program Files/MySQL/MySQL Server 6.0/data"
log-bin = "C:/Program Files/MySQL/MySQL Server 6.0/replication/mysql-bin"
### END REPLICATION CONFIG ###



To configure the slave:
put the following in /etc/my.cnf
# changes made to do slave
server-id = 2
relay-log = /usr/local/mysql/var/mysql-relay-bin
relay-log-index = /usr/local/mysql/var/mysql-relay-bin.index
log-error = /usr/local/mysql/var/mysql.err
master-info-file = /usr/local/mysql/var/mysql-master.info
relay-log-info-file = /usr/local/mysql/var/mysql-relay-log.info
datadir = /usr/local/mysql/var
# end slave setup

Install Rsyslogd

yum install gcc mysql mysql-server mysql-devel
cd /home//Downloads
wget http://www.rsyslog.com/Downloads-req-getit-lid-204.phtml
tar xzf rsyslog-5.5.5.tar.gz
cd rsyslog-5.5.5
./configure --enable-mysql
make
make install

splunk

chcon -c -v -R -u system_u -r object_r -t lib_t $SPLUNK_HOME/lib 2>&1 > /dev/null
You can also disable the check when splunk starts by adding this line to the $SPLUNK_HOME/bin/setSplunkEnv script
export SPLUNK_IGNORE_SELINUX=1

Temperature of networking equipment

Most networking equipment should be kept between 0 and 40 degrees Celsius (32-104 in Fahrenheit).

Edgemarc Configuration

Can't use the Firewall 2. Breaks the connection and doesn't allow rtp traffic to flow. The call setup and teardown will work but no audio will be sent or received.
The traffic shaper should be used by setting the upstream and down stream bandwidth to a little less than the circuit supports that way the edgemarc will prioritize the voice packets and drop the data packets instead of allowing random packets to dropped later in the connection because there is not enough bandwidth to support all the traffic. The suggested bandwidth value for one T1 is 1320 kbps.

Installing Nagios on Fedora

If you follow these instructions, here's what you'll end up with:
  • Nagios and the plugins will be installed underneath /usr/local/nagios
  • Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
  • The Nagios web interface will be accessible at http://localhost/nagios/
  • Preparing Linux for Nagios installation
    • Make sure you've installed the following packages on your Fedora installation before continuing
      • Apache
      • GCC compiler
      • GD development libraries
    •  They can be installed by running
      • yum install httpd
      • yum install gcc
      • yum install glibc glibc-common
      • yum install gd gd-devel
    • Become the root user.
      • su -l
    • Create a new nagios user account and give it a password.
      • /usr/sbin/useradd -m nagios passwd nagios
    • Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.
      • /usr/sbin/groupadd nagcmd /usr/sbin/usermod -a -G nagcmd nagios /usr/sbin/usermod -a -G nagcmd apache
  • Create a directory for storing the downloads.
    • mkdir ~/downloads
    • cd ~/downloads
  • Download the source code tarballs of both Nagios and the Nagios plugins
    • wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.1.2.tar.gz
    • wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz
  • Compile and Install Nagios
    • Extract the Nagios source code tarball.
      • cd ~/downloads tar xzf nagios-3.1.2.tar.gz cd nagios-3.1.2 
    • Run the Nagios configure script, passing the name of the group you created earlier like so
      • ./configure --with-command-group=nagcmd
    • Compile the Nagios source code.
      • make all
    • Install binaries, init script, sample config files and set permissions on the external command directory.
      • make install
      • make install-init
      • make install-config
      • make install-commandmode
  • Customize Configuration
    • Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed... 
      •  Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts.
        • nano /usr/local/nagios/etc/objects/contacts.cfg
  • Configure the Web Interface
    • Install the Nagios web config file in the Apache conf.d directory.
      • make install-webconf
    • Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later.
      • htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
    • Restart Apache to make the new settings take effect.
      • service httpd restart
  • Compile and Install the Nagios Plugins
    • Extract the Nagios plugins source code tarball.
      • cd ~/downloads tar xzf nagios-plugins-1.4.11.tar.gz cd nagios-plugins-1.4.11
    • Compile and install the plugins.
      • ./configure --with-nagios-user=nagios --with-nagios-group=nagios make make install
  • Start Nagios
    • Add Nagios to the list of system services and have it automatically start when the system boots.
      • chkconfig --add nagios chkconfig nagios on 
    • Verify the sample Nagios configuration files
      • /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
    • If there are no errors, start Nagios.
      • service nagios start
  • Modify SELinux Settings
    • Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs.
      • See if SELinux is in Enforcing mode.
        • getenforce
      • Put SELinux into Permissive mode.
        • setenforce 0
      • To make this change permanent, you'll have to modify the settings in /etc/selinux/config and reboot.
    • Instead of disabling SELinux or setting it to permissive mode, you can use the following command to run the CGIs under SELinux enforcing/targeted mode:
      • chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/ chcon -R -t httpd_sys_content_t /usr/local/nagios/share/
  • Login to the Web Interface
    • You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.
      • http://localhost/nagios/ 

To make sure an snmp check is working you can issue the following command in /usr/local/nagios/libexe.

./check_snmp -H -p -w 35 -c 40 -o 1.3.6.1.4.1.1748.3.1.1.6.0
 

    Preparing Fedora

    # Install wget a utility for retrieving files using the HTTP or FTP protocols
    yum install wget

    # Install wput a utility for uploading files or whole directories to remote ftp-servers
    yum install wput

    #install apache
    install httpd

    #install GNU Compiler Collection (GCC). A compiler system produced by the GNU Project #supports languages: C, C++, Objective-C, Fortran, and Java compiler
    yum install gcc

    #install the corresponding desired libraries
    yum install gcc-ada
    yum install gcc-java
    yum install gcc-objc

    Meditarix Configuration

    g711pcmu must be enabled to work with the voice portal, if it is not you will get a half a ring and then a fast busy

    Mediatrix 1124 Firmware Upgrade

    If you pick static file for the firmware you must specify the location of the folder containing the firmware (without beginning and ending "/") :
    zend_crm/public/files/firmware/mediatrix/current/1124

    if you pick remote file for the firmware you must specify the location of the Setup.inf file:
    zend_crm/public/files/firmware/mediatrix/current/1124/Setup.inf

    Installing and Configuring TFTP Server on Linux

    • Install
      • yum install tftp-server
    • Setup 
      • nano /etc/xinetd.d/tftp
        • Find disable = yes, make it no 
        • change server_args to the location that you want the root of the tftp server to be in 
          • -v is necessary so the tftp will log all requests 
          • -c option allows you to upload files to the tftp server without them first existing






          • server_args             = -v -s /tftpboot 
    • Start TFTP Server (Note: auto-startup tftp might not be good idea)
      •  /sbin/chkconfig tftp on
      • /sbin/chkconfig xinetd on




      • /sbin/service xinetd start 
    • Testing
      •  touch /tftpboot/test
      • From another computer, Linux, OS X:
        • tftp [ip of tftp server]
        • tftp get test
        • tftp quit
      • From another computer, Windows OS:
        • tftp 192.168.0.1 GET test
        • If you can see “test” under the current directory, then this TFTP server should work properly.
        • If not, check the firewall, open UDP port 69. You can run system-config-security to open it.
      • You can use grep tftp /var/log/messages to see the log

    Upgrading Cisco 7940 Firmware and Configuring

    Upgrading Firmware

    • Key things to remember before beginning the upgrade
    • Must go from SCCP 3.1 to SIP 2.3 to SIP 6.3 to SIP 7.5. All version 8 software seem to go into a never ending reboot cycle
    • At a certain point **# no longer unlocks the phone and you must type the password "cisco" in to configure the phone
    • All of Cisco's information about upgrading firmware can be found at:
      http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7960g_7940g/mgcp/firmware/matrix/frmwrup.html

    • Download firmware from
      http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.3&mdfid=268437897&sftType=Session+Initiation+Protocol+%28SIP%29+Software&optPlat=&nodecount=27&edesignator=null&modelName=Cisco+Unified+IP+Phone+7940G&treeMdfId=278875243&modifmdfid=null&imname=&treeName=Wireless&hybrid=Y&imst=N

    • Place necessary files in root of TFTP server
    • The phone first looks for OS79XX.txt.  The OS79XX.TXT file must only contain the name of the file that you attempt to load, without the .bin extension.

    • If you convert from SCCP to SIP and the version you attempt to load is SIP 2.3 software or earlier, the OS79XX.TXT must be in the format of POS3xxyy . For example, if the SIP software version is 2.2, the file must contain POS30202.
    •  If you convert from SCCP to SIP and the version you attempt to load is SIP 3.0 software or later, the OS79XX.TXT must be in the format of POS3-xx-y-zz . For example, if the SIP software version is 7.4, the file must contain POS3-07-4-00.
    •  If you convert from SIP to SCCP, the OS79XX.TXT must be in the format of P003aabbccdd. For example, if the SCCP software version is 7.2(3), the file must contain P00307020300.

    • Configure network settings of the phone
    • Turn DHCP off
    • Set IP Address
    • Set netmask
    • Set default gateway
    • Set DNS

    • Set address of primary TFTP server

    • Reboot the phone to begin downloading the new firmware
    Configuring Phone
    • The SipDefault.cnf has all of the main configuration settings that are the same for each phone.
    • The SipMAC.cnf has all of the phone specific settings line/port and authentication information.
    • The SEPMAC.cnf.xml just tells what load to use
    • The O79XX.txt just tells what load to use (it is loaded first in most cases)

    Call Waiting With Broadsoft and Mediatrix 1124s

    Call waiting is only dependent upon its status in the Mediatrix 1124. If it is disabled in the Mediatrix 1124, the second caller gets a busy signal, if it is enabled in the Mediatrix 1124, the second caller hears and ring and the callee hears a tone to indicate the second call. Call waiting is no way dependent upon Broadsoft

    Installing and Configuring Apache & PhpMyAdmin on Fedora

    If you install Phpmyadmin on Fedora using yum, it will place the files in /usr/share/phpmyadmin
    and will add phpmyadmin.conf to the /etc/httpd/conf.d folder. To configure http://[url]/phpmyadmin to go to the /usr/share/phpmyadmin folder

    Nagios & Sendmail SMTP Relay

    When a notification has made it successfully through all of the filters it executes the commands defined in host_notification_commands or the service_notification_commands directive for the contact that is being notified. These commands are defined /usr/local/nagios/etc/commands.cfg.  The default notify-service-by-email command uses the /usr/bin/mail script to send emails. This script allows users to send emails quickly by using the sendmail server that comes installed with Fedora OS.

    In order for nagios to be able send valid email (email that won't be blocked by spam filters and has a valid return address) on behalf of a domain who's mail server is not the local machine, the local mail server must relay all emails to that domain's mail server. By default most mail servers will only receive emails sent to users of the domains it is responsible for. Only after authenticating can a user send mail from the server to outside domain. If the ability to send mail to any domain was available to unauthenticated users, anyone could send limitless spam from the server. Thus in order for sendmail to be able to send email to domains other than the domains the mail server it will be relaying to is responsible for, it must authenticate with the relay server.

    Before configuring sendmail, it is important check to make sure the relaying server is configured properly to allow an authenticated user to send mail. This can be confirmed by:
    • telnet to the relay mail server
      • telnet [relay server's hostname/ip] [port]
      • 220 Smokey.ip2business.com Microsoft ESMTP MAIL Service ready at Wed, 26 May 2010 17:41:52 -0400
    • issue ehlo command to see the mail server's list of extensions. The mail server must support the AUTH LOGIN extension to allow users to authenticate.
      • ehlo client-domain.com
      • 250-mailserver-domain.com Hello [ip address]
        250-SIZE
        250-PIPELINING
        250-DSN
        250-ENHANCEDSTATUSCODES
        250-X-ANONYMOUSTLS
        250-AUTH NTLM LOGIN
        250-X-EXPS GSSAPI NTLM
        250-8BITMIME
        250-BINARYMIME
        250-CHUNKING
        250-XEXCH50
        250 XRDST
    • Make sure the mail server is not an open relay (allows unauthenticated users to send mail to domains not handled by the server) by attempting to send an email to an outside domain. If an error message is not generated after the "rcpt to" command, this security issue must be fixed.
      • mail from: doesnt-matter@domain.com
      • 250 2.1.0 Sender OK
      • rcpt to: doesnt-matter@external-domain.com
      • 550 5.7.1 Unable to relay
      • rset
      • 250 2.0.0 Resetting
    • Now authenticate with the mail server and attempt to send the email again
      • Issue the auth login command to initiate the authentication process. The server will respond with "Username:" in base64 encoding
      • auth login
      • 334 VXNlcm5hbWU6
      • enter your username in base64 encoding. This site will convert for you: http://www.opinionatedgeek.com/dotnet/tools/base64encode/
      • [username in base64]
      • 334 UGFzc3dvcmQ6
      • The mail server then responds by asking for your password in base64
      • [password in base64]
      • 235 2.7.0 Authentication successful
      • mail from: doesnt-matter@mail-server-domain.com
      • 250 2.1.0 Sender OK
      • rcpt to: doesnt-matter@external-domain.com
      • 250 2.1.5 Recipient OK
      • data
      • 354 Start mail input; end with .
      • Subject: "[Text for the subject line]"
      • [Text for the body of the email]
      • .
      • 250 2.6.0 <3325ca07-af24-4837-96b2-c0fe558897d7@domain.com> Queued mail for delivery
    Once you have verified the relaying server has been configured properly, sendmail can be configured to send all of its mail to the relay server by using the SMART_HOST directive and SMTP_AUTH with PLAIN mech for authentication. The following directions come from http://www.screaming-penguin.com/node/4214.  Many Linux distros use Sendmail as the default MTA (Fedora among them).
    1. Note that the default locations on Fedora (and many distros) for Sendmail installed files is "/etc/mail". sendmail.cf, sendmail.mc, access map, so on, are located at /etc/mail.
    2. Check that your Sendmail binary has STARTTLS and SASL support: sendmail -d0.1 -bv Make sure STARTTLS and SASL are present in the output, this is the default on Fedora and other distors now so they are likely alread there - if you do not have these you need to backup and recompile sendmail to include them. Yes the client usage requires them.
    3. Edit your sendmail.mc to include the "smart host" option. (Use brackets here if you want sendmail to skip an MX record lookup and use the A record - `[mail.bellsouth.net]'. Don't use brackets if you need the MX - `mail.bellsouth.net'. If you are unsure try it with brackets and if it doesn't work take them out.) define(`SMART_HOST',`[mail.bellsouth.net]')
    4. Edit your sendmail.mc to setup a map for "authinfo". FEATURE(`authinfo',`hash /etc/mail/authinfo.db')
    5. Check the rest of your sendmail.mc to make sure that things are sane and items relevant to STARTTLS and SASL are uncommented and valid. For example check to ensure you have the certificate related entries (and that these entries are valid - you may have to create the sendmail.pem cert - from the cert dir "make sendmail.pem" assuming you have the OpenSSL libraries available): define(`confCACERT_PATH',`/usr/share/ssl/certs') define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') Make sure you also have the auth mechanisms defined/uncommented (I am not sure this should be required just for the client - but I had to enable to get things working): define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A p y')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl Also you should turn up the logging temporarily in order to verify things: define(`confLOG_LEVEL', `20')dnl
    6. Create the "authinfo" file in (the file that tells the SMTP_AUTH client what credentials to login with for what domain). AuthInfo:mail.bellsouth.net "U:root" "I:user@bellsouth.net" "P:password" "M:LOGIN PLAIN"
    7. With the newly edited "sendmail.mc" file use m4 (the sendmail macro burner) to create "sendmail.cf". m4 sendmail.mc > sendmail.cf
    8. With the newly created "authinfo" file make the authinfo.db which sendmail will use. makemap hash /etc/mail/authinfo < /etc/mail/authinfo
    9. Restart sendmail (default /etc/init.d/sendmail restart) and check the logs (default /etc/maillog) to make sure there are no issues/errors/warnings. Errors such as unable to find STARTTLS certificate need to be addressed before you proceed, really there should be no errors or warnings, these have meanings. ;)
    10. Run a map test to ensure that the "authinfo" db is being correctly picked up by your new sendmail configuration. echo '/map authinfo AuthInfo:mail.bellsouth.net' | /usr/sbin/sendmail -bt If this is found and there is an entry then proceed, otherwise something is amiss with authinfo and that needs to be addressed.
    11. OPTIONAL - Make an alias for the "root" user to go to an actual external email account (if not already done). For example in /etc/aliases change the line under "Person that should get root's email" to go to "root: user@gmail.com" where that is a valid external email account. Make sure to run "newaliases" to invoke.
    12. Send an email to root and watch the logs. mail root Test this is a test .
    The logs should show all the SMTP level info (since it is using level 20) and should show a line that reads similar to: Feb 17 21:08:45 totsp sendmail[27587]: k1I28jTQ027587: MAIL From: SIZE=29 AUTH=root@yourhostname.org. This shows that the AUTH was made. Then a little further down in the log you should see that the message was accepted. (If it was not accepted you will see that it was rejected and why (the response code). UPDATE: Also see the new information on the Sendmail.org site about using Sendmail as an AUTH client - http://www.sendmail.org/~ca/email/auth.html.


     Nagios
    • the web gui can be reached by going to http://localhost/nagios/
    • the support documents can be found at http://support.nagios.com/knowledgebase/officialdocs
    • configuration files are in /usr/local/nagios
    • check nagios configuration files for errors by issuing: /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
    • Main Nagios log file: /usr/local/nagios/var/nagios.log
    • Debug Log file: /usr/local/nagios/var/nagios.debug (debug level controlled in /usr/local/nagios/nagios.cfg))
    • By default nagios will automatically ping hosts and send notifications if the host goes down. This can be disabled with the "checks_enabled 0" directive
    • If the host has no service a notification is sent only after the hard down state is reached. To reach the hard down state first you must wait max_retry_attempts*retry_interval
    • By setting notification_interval 0 in the general-service template Nagios will only send one (1) email per critical or downstate. If this is set to something else, then you will generate multipletickets, which is not good.
    • Services don't send notifications until they have reached a hard state as well.
    • Nagios uses the the /bin/mail script to send email which uses sendmail
    • Nagios dispatches all notifications to the sendmail client, which is responsible for sending the emails.The sendmail client  queues mail in the /var/spool/clientqueue folder.
    • The check_ping!200.0,20%!600.0,60% command passes arguments delimited by "!". The first argument gets past to the -w flag as the warning threshold (200ms round trip or 20% packet loss) and the second argument gets past to the -c flag as the critical threshold (600 or 60% packet loss).