Configuring WebSocket Tunnel with OVOC

When OVOC is deployed in a public cloud environment (e.g., Amazon Web Services), it can manage devices that are located behind NAT, by implementing WebSocket tunneling (over HTTP/S). All communication and management traffic (e.g., HTTP-based file download, NTP, syslog, debug recording, and SNMP) between the device and OVOC flows through this WebSocket tunnel. In this tunneling application, the device is the WebSocket client and OVOC is the WebSocket server.

WebSocket tunneling has many advantages over the alternative method for connecting OVOC to the device when located behind NAT (refer to the document One Voice Operations Center IOM Manual for more information). WebSocket tunneling easily resolves NAT traversal problems and requires minimal amount of configuration (e.g., no need for port forwarding and no need for firewall settings to allow certain traffic).

The WebSocket tunnel connection between the device and OVOC is secure (HTTPS). When the device initiates a WebSocket tunnel connection, it verifies that the TLS certificate presented by OVOC is signed by one of the CAs in the trusted root store of its default TLS Context (ID #0). The device authenticates itself with OVOC using a username and password. These must be the same credentials as configured on OVOC.

By default, the device establishes theWebSocket connection through its default IPv4 OAMP IP interface, but if you want you can associate a different IP Interface. The device keeps the WebSocket tunnel connection open (i.e., persistent), allowing it to send and receive future management traffic through it. The connection only closes before the device (or OVOC) restarts.

for Microsoft Azure, Amazon AWS, VMware, or Microsoft Hyper-V cloud platforms To check if other cloud platforms are supported, refer to the OVOC documentation.
If you configure the address of the WebSocket tunnel server (see the 'OVOC WebSocket Tunnel Server Address' parameter below) as a domain name, you also need to configure the address of the DNS server that you want to use for resolving the domain name into an IP address. This is configured in the IP Interfaces table for the associated IP Interface (see Configuring IP Network Interfaces).
When the device is configured for WebSocket tunneling with OVOC, the SBC Configuration Wizard (see SBC Configuration Wizard) is not supported (and not accessible from the Web interface).
To configure WebSocket tunneling on OVOC, refer to the document One Voice Operations Center IOM Manual.

The following procedure describes how to configure WebSocket tunneling on the device through the Web interface. You can also configure it through CLI (configure network > ovoc-tunnel-settings).

To configure WebSocket tunneling with OVOC on the device:
1. Open the SNMP Trap Destinations table (see Configuring SNMP Trap Destinations with IP Addresses), and then configure an SNMP trap manager with IP address 169.254.0.1.

IP address 169.254.0.1 represents the OVOC server in the WebSocket tunnel overlay network.

2. For sending Quality of Experience (QoE) voice metric reports to OVOC, open the Quality of Experience Settings table (see Reporting QoE to OVOC), and then configure the 'Primary OVOC Address' parameter to IP address 169.254.0.1.
3. Obtain the OVOC server's default certificate (trusted root certificate) for Managed Devices, and then import (see Importing Certificates into Trusted Root CA Certificate Store) the certificate into the device's Trusted Root store of the default TLS Context (ID #0).
4. Open the Web Service Settings page (Setup menu > IP Network tab > Web Services folder > Web Service Settings), and then under the OVOC Tunnel group, configure the following parameters:

'OVOC WebSocket Tunnel Server Address' [WSTunServer]: Configure the IP address or hostname (FQDN) of the OVOC server. If you configure the parameter to a hostname, the device uses the DNS server configured in Configuring a DNS Server for HTTP Services to resolve it into an IP address. If you use a hostname, the device checks that the hostname matches the certificate's Subject Name.
'Interface Name' [WSTunInterfaceName]: Select the device's IP Interface for the WebSocket tunnel. If not specified, the device uses the default OAMP IP Interface.
'Path' [WSTunServerPath]: Configure to "tun" (without quotation marks) to match the default OVOC configuration.
'Username' [WSTunUsername]: Configure it to match the WebSocket Tunnel username configured on OVOC. The default username is "VPN" (without quotation marks).
'Password' [WSTunPassword]: Configure it to match the WebSocket Tunnel password configured on OVOC. The default password is "123456" (without quotation marks).
'Secured (HTTPS)' [WSTunSecured]: Enable the parameter to use secure (HTTPS) transport for the WebSocket tunnel connection.
'Verify Certificate' [WSTunVerifyPeer]: Enable the parameter so that the device verifies the TLS certificate presented by OVOC during the establishment of the WebSocket tunnel connection.
5. Restart the device with a save-to-flash for your settings to take effect.

You can view the status of the WebSocket connection in the following read-only fields on the Web Service Settings page (see Step 4):

'Status': Displays the status of the WebSocket tunnel - "Not Configured", "Not Connected", "Connected", or "Re-Connected".
'IP address': Displays the IP address allocated to the device by OVOC through the WebSocket tunnel.