Configuring WebSocket Tunnel with OVOC
When OVOC is deployed in a public cloud environment (e.g., Amazon Web Services), it can manage devices that are located behind NAT, by implementing WebSocket tunneling (over HTTP/S). All communication and management traffic (e.g., HTTP-based file download, NTP, Syslog, debug recording, and SNMP) between the device and OVOC flows through this WebSocket tunnel. In this tunneling application, the device is the WebSocket client and OVOC is the WebSocket server.
WebSocket tunnel has many advantages over the alternative method for connecting OVOC to the device when located behind NAT (refer to One Voice Operations Center IOM Manual for more information). It easily resolves NAT traversal problems and requires minimal amount of configuration, for example, there's no need for port forwarding nor firewall settings to allow certain traffic.
The WebSocket tunnel connection between the device and OVOC is secure (HTTPS). When the device initiates a WebSocket tunnel connection, it verifies that the TLS certificate presented by OVOC is signed by one of the CAs in the trusted root store of its default TLS Context (ID #0). The device authenticates itself with OVOC using a username and password. These must be the same credentials as configured on OVOC.
The device establishes the WebSocket connection through the
"main-vrf" VRF. The device keeps the WebSocket tunnel connection open (i.e., persistent), allowing it to send and receive future management traffic through it. The connection only closes before the device (or OVOC) restarts.
|
●
|
when is Microsoft Azure, Amazon , VMware, or Microsoft Hyper-V To check if its supported on additional cloud platforms, refer to the OVOC documentation. |
|
●
|
If you configure the address of the WebSocket tunnel server (see the 'Address' parameter below) as a domain name, you also need to configure the address of the DNS server that you want to use for resolving the domain name into an IP address. |
The following procedure describes how to configure WebSocket tunneling on the device through the Web interface. You can also configure it through CLI (configure network > ovoc-tunnel-settings).
|
➢
|
To configure WebSocket tunneling with OVOC on the device: |
|
2.
|
Open the Web Service Settings page (Setup menu > IP Network tab > Web Services folder > Web Service Settings), and then under the OVOC Tunnel group, configure the following parameters: |
|
●
|
'OVOC WebSocket Tunnel Server Address' [WSTunServer]: Configure it to the IP address or hostname of the OVOC server. |
|
●
|
'Path' [WSTunServerPath]: Configure it to "tun" (without quotation marks) to match the default OVOC configuration. |
|
●
|
'Username' [WSTunUsername]: Configure it to match the WebSocket Tunnel username configured on OVOC. The default username is "VPN" (without quotation marks). |
|
●
|
'Password' [WSTunPassword]: Configure it to match the WebSocket Tunnel password configured on OVOC. The default password is "123456" (without quotation marks). |
|
●
|
'Secured (HTTPS)' [WSTunSecured]: Enable the parameter to use secure (HTTPS) transport for the WebSocket tunnel connection. |
|
●
|
'Verify Certificate' [WSTunVerifyPeer]: Enable the parameter so that the device verifies the TLS certificate presented by OVOC during the establishment of the WebSocket tunnel connection. |
IP address 169.254.0.1 represents the OVOC server in the WebSocket tunnel overlay network.
|
4.
|
For sending Quality of Experience (QoE) voice metric reports to OVOC, open the Quality of Experience Settings table (see Configuring OVOC for Quality of Experience), and then configure the 'OVOC Address' parameter to IP address 169.254.0.1. |