IX Workplace Confusion.

[RedTech443]

Hello all.

I am currently trying to learn the IX Workplace Remote Worker requirements and any associated needs it may have for remote workers.

I have found a few docs from Avaya but they are somewhat confusing and always lead to 7 other documents. I am trying to understand the flow of a remote worker connecting to the enterprise from outside in the public to get auto configured and utilize local Avaya resources such as SIP/Session Manager CM/PPM and AADS for utility needs if needed.

I know I need system manager, SM, CM, AADS and a SBC.

From what I gather so far....
The outside remote worker enters a webaddress or fqdn to obtain its auto config. The client connects to the Enterprise SBC and the SBC then talks to the AADS to get the clients certificates that will be needed for it's TLS connection over the public web, after that the user logs in with their email address and password which is configured I assume on system manger under profiles??

If there is a LDAP to be used where is the LDAP configured? SMGR or AADS?? Would this LDAP be used for authentication to end users connecting? I think these are just my first few questions in all of this and thank you for any help.

 

[kyle555]

Peel out the AADS part - it can do autoconfig for IXW clisnts inside and outside the enterprise.

Remote worker can register phones from the internet.

You can have AADS inside without a SBC

You can have remote 9600s outside without AADS.

If you go onto spaces.zang.io and create an account, you can add a company. That company has a domain. If I own kyleslab.ca, I can add it to Spaces and they'll ask me to put a little string in public DNS to prove I really do own DNS for kyleslab.ca.

Then in Spaces, I'll go add an "app" called "Equinox Cloud Client" and in the bottom box for public settings i'd paste this:

{"Client_Settings_File_Address":[{"Profile_Name":"KylesLab","Client_Settings_File_Url":"

https://aads.kyleslab.ca:443/acs/resources/configurations"}

]}

if I was in my lab's office on private DNS, aads.kyleslab.ca might resolve to 192.168.whatever, and if I was on the internet, it'd resolve to a public IP that hit the SBC and would use a reverse proxy to get me where I want to go.

The idea of a reverse proxy is that it's a relay for HTTP. So, like you might have a proxy to get out to the internet from your office, it's the single point you pass through on the way out, a reverse proxy is the opposite and the single point you pass on the way in - like the SBC. You'll need those proxies for PPM for SIP phones - cause that's HTTPS and you'll need it for AADS too.

So now your client can talk to AADS. AADS always has a LDAP setup - usually the customer's Active Directory. What's important at this stage is that AADS correlate an LDAP account to a SMGRLoginName. That way when you pass kyle@kyleslab.ca as your login to AADS to Active Directory and AD says "yup, that's right!" then AADS would know what Aura user I am. You can even setup AADS to pass the SIP extension and encrypted password to the IXW client so your LDAP login gets you your SIP login too.

AADS has an on-board LDAP you can use if you like and it's a little ugly, but it gets the job done if you're stuck.

 

[RedTech443]

Thanks for the info Kyle.


So I will have remote workers using their PC that will have IX workplace for windows/mac installed. They will need to connect to the AADS server via the SBC. So as long as I have a DNS that points to the SBC and users configured in a LDAP they should be able to login?

Also the customer has no local LDAP like exchange. They use Google Education as their LDAP. I do not know much about Googles LDAP (G suite). I have not found much documentation on it being used with Avaya AADS either.

What I am trying to wrap my head around is, what is the flow needed for a client to connect to the Avaya Aura environment, register and have the features they need. I am sure I need the SBC, SMGR, SM and AADS but I am not sure if I need anything else for IX workplace devices to connect.

I am familiar with the AADS openLDAP configuration, but adding new users to the onboard LDAP on AADS is something I am not familiar with. I chcked in my lab and do not see where to add users to LDAP, is that done through SMGR and synced to AADS or am I missing something?

 

[kyle555]

AADS recently started supporting - maybe in controlled intro - but it started supporting 3rd party auth schemes. Basically, same idea as with LDAP, but "login with your Gmail account".

Not sure if it supports just Office365, but lookup Shibboleth. It's an identity provider. The idea being if you had a Active Directory but wanted to toss a "web login" on top of your app and point to that LDAP, Shibboleth is the part that puts it HTTP.

If you don't have a LDAP, then set them up with the openLDAP. That's an easy enough decision for you.

The LDAP name - like mail - would have to equal the SMGR login name. So, I hope your SMGR identities are named after people and not extensions

 

[RedTech443]

Thanks again Kyle, I will check it out.

I am going to try to get this all to work in my lab so I can better understand all of this.

 

[kyle555]

Here's a good read too

https://www.tek-tips.com/viewthread.cfm?qid=1797956