Configuring an HTTP-based OVOC Service

The OVOC Services table lets you configure a single HTTP-based AudioCodes One Voice Operations Center (OVOC) service. You can configure the device to act as an HTTP Proxy that enables OVOC to manage AudioCodes equipment (such as IP Phones) over HTTP when the equipment is located behind NAT (e.g., in the LAN) and OVOC is located in a public domain (e.g., in the WAN). This setup resolves NAT traversal issues. The IP Phones register with the device to allow communication between the IP Phones and OVOC. Once setup, the OVOC administrator can access the Web-based management interfaces of each IP Phone .

A summary of the steps required to configure an HTTP Proxy for this OVOC service is listed below:

1. Enable the HTTP Proxy application (see Enabling the HTTP Proxy Application).
2. Configure two local, listening IP network interfaces - one for OVOC and one for the IP Phones (see Configuring IP Network Interfaces).
3. Configure the OVOC service in the OVOC Services table (described below). This entails specifying the IP network interfaces as well as the port number within each interface to which the HTTP Proxy must listen to.
4. Configure the device's firewall (Firewall table) to allow incoming traffic from OVOC. For more information, see Configuring Firewall Rules to Allow Incoming OVOC Traffic.
It is recommended not to use port 80 as this is the default port used by IP Phones for their Web-based management interface.
No special configuration is required on the managed equipment.

The following procedure describes how to configure an OVOC service through the Web interface. You can also configure it through ini file [OVOCService] or CLI (configure network > http-proxy > ovoc-serv).

To configure an OVOC Service:
1. Enable the HTTP Proxy application, as described in Enabling the HTTP Proxy Application.
2. Open the OVOC Services table (Setup menu > IP Network tab > HTTP Proxy folder > OVOC Services).
3. Click New; the following dialog box appears:

4. Configure an OVOC Service according to the parameters described in the table below.
5. Click Apply, and then save your settings to flash memory.

OVOC Services Table Parameter Descriptions

Parameter

Description

General

'Index'

[Index]

Defines an index number for the new table row.

Note:

Each row must be configured with a unique index.
The parameter is mandatory.

'Name'

service-name

[ServiceName]

Defines a descriptive name, which is used when associating the row in other tables.

The valid value is a string of up to 40 characters. By default, no value is defined.

Note:

Configure each row with a unique name.
The parameter is mandatory.

Device

'Device Login Interface'

device-login-interface

[DeviceLoginInterface]

Assigns an IP network interface (local, listening HTTP interface:port) for communication with the client. To configure IP Interfaces, see Configuring IP Network Interfaces.

By default, no value is defined.

Note:

The parameter is mandatory.
The NGINX directive for this parameter is "proxy_bind".

'Device Login Port'

device-login-port

[DeviceLoginPort]

Defines the login port of the requesting client.

Note: The NGINX directive for this parameter is "proxy_bind".

'Device Scheme'

device-scheme

[DeviceScheme]

Defines the protocol for communication with the requesting client.

[0] HTTP (default)
[1] HTTPS

Note: If configured to HTTPS, you must assign a TLS Context (see the 'Device Login TLS Context' parameter, below).

'Device Login TLS Context'

device-login-tls-context

[LoginInterfaceTLSContext]

Assigns a TLS Context (TLS configuration) for the interface with the requesting client. This is required if you have configured the 'Device Scheme' parameter to HTTPS (see above). To configure TLS Contexts, see Configuring TLS Certificate Contexts.

Note: The NGINX directive for this parameter is "proxy_ssl_certificate", "proxy_ssl_certificate_key", "proxy_ssl_ciphers", and "proxy_ssl_protocols".

'Device Login Interface Verify Certificate'

device-interface-verify-cert

[LoginInterfaceVerifyCert]

Enables the verification of the TLS certificate that is used in the incoming client connection request.

[0] No = (Default) No certificate verification is done.
[1] Yes = The device verifies the authentication of the certificate received from the client. The device authenticates the certificate against the trusted root certificate store associated with the assigned TLS Context (see 'Device Login TLS Context' parameter above) and if ok, allows communication with the client. If authentication fails, the device denies communication (i.e., handshake fails). The device can also authenticate the certificate by querying with an Online Certificate Status Protocol (OCSP) server whether the certificate has been revoked. This is also configured for the associated TLS Context.

Note: The NGINX directive for this parameter is "proxy_ssl_verify".

OVOC

'OVOC Listening Interface'

ovoc-interface

[OVOCListeningInterface]

Assigns an IP network interface (local, listening HTTP interface:port) for communication with OVOC. To configure IP Interfaces, see Configuring IP Network Interfaces.

By default, no value is defined.

Note:

The parameter is mandatory.
The NGINX directive for this parameter is "proxy_bind".

'OVOC Listening Port'

ovoc-port

[OVOCListeningPort]

Defines the listening port for the OVOC interface.

Note: The NGINX directive for this parameter is "proxy_bind".

'OVOC Scheme'

ovoc-scheme

[OVOCScheme]

Defines the security scheme for the connection with OVOC.

[0] HTTP (default)
[1] HTTPS

Note:

If configured to HTTPS, you must assign a TLS Context (see the 'OVOC Interface TLS Context' parameter, below).
The NGINX directive for this parameter is "proxy_pass scheme://upstream".

'OVOC Interface TLS Context'

ovoc-interface-tls-context

[OVOCInterfaceTLSContext]

Assigns a TLS Context (TLS configuration) for the OVOC listening interface. This is required if you have configured the 'OVOC Scheme' parameter to HTTPS (see above). To configure TLS Contexts, see Configuring TLS Certificate Contexts.

Note: The NGINX directive for this parameter is "proxy_ssl_certificate", "proxy_ssl_certificate_key", "proxy_ssl_ciphers", and "proxy_ssl_protocols".

'OVOC Interface Verify Certificate'

ovoc-verify-cer

[OVOCInterfaceVerifyCert]

Enables the verification of the TLS certificate that is used in the incoming connection request from OVOC.

[0] No = (Default) No certificate verification is done.
[1] Yes = The device verifies the authentication of the certificate received from OVOC. The device authenticates the certificate against the trusted root certificate store associated with the assigned TLS Context (see 'OVOC Interface TLS Context' parameter above) and if ok, allows communication with OVOC. If authentication fails, the device denies communication (i.e., handshake fails). The device can also authenticate the certificate by querying with an Online Certificate Status Protocol (OCSP) server whether the certificate has been revoked. This is also configured for the associated TLS Context.

Note: The NGINX directive for this parameter is "proxy_ssl_verify".

'OVOC Primary Server'

primary-server

[PrimaryServer]

Defines the address (IPv4 or IPv6) of the primary OVOC server.

Note:

This parameter is mandatory.
When you configure this parameter, an Upstream Group is automatically added (see Configuring Upstream Groups).
The NGINX directive for this parameter is "upstream ems { addr1, addr2 backup }" and "proxy_pass scheme://ems".
The IP address version (IPv4 or IPv6) of the OVOC address and the IP Interface (see 'OVOC Listening Interface' field above) must be the same.

'OVOC Backup Server'

backup-server

[BackupServer]

Defines the address (IPv4 or IPv6) of the secondary OVOC server.

Note:

When you configure this parameter, an Upstream Group is automatically added.
The NGINX directive for this parameter is "upstream ems { addr1, addr2 backup }" and "proxy_pass scheme://ems".
The IP address version (IPv4 or IPv6) of the OVOC address and the IP Interface (see 'OVOC Listening Interface' field above) must be the same.