The management at my organization wants to make our IPT (Call Manager, Unity, gateways, and phones) available over the Internet. Other than obvious issues relating to QoS and so forth on the Net, it doesn't seem like this is the original intention of IPT. Yes, it's an IP Telephony implementation, and yes the Internet is IP based, but I don't think the two are quite ready for each other.
I could hook up remote offices via VPN and we could probably do something that way, but as for making ubiquitous access (i.e. no VPN, but from anywhere a user may be -- from Hong Kong to Charlottetown), I'm thinking it'd be an almost impossibility.
I need some supporting arguments to help my position (or possibly something to refute it). Thoughts?
There is no reason why it won't work but there are caveats.
Keep in mind security - your CM server, gateways and phones may all be accessible, and tunneling the traffic by VPN will add extra processing which leads to delay in traffic. The overall quality of the public internet needs to be considered - if the end to end delay is more that 250 msec users won't like the 'two way radio' half duplex operation that becomes apparent due to the perceived lack of immediate feedback. Unless you get an end to end Service level agreement there is no reason for any intermediate carriers to ensure your traffic gets to the far end - it's all best effort delivery - so any packet drops will start to mess with overall voice quality.
Were you planning to do the clustering (more than 1 Call Manager) over the Internet? I ask that because there is a strict requirement for the ICCS communications. Its 900Kbps per 10,000 Busy Hour Call Attempts (BHCA) and also a maximum RTT of 40ms between two Call Managers. The bandwidth will be easy on the Internet but I suspect the 40ms will be hard.
You can find more info on this in the "Cisco IP Telephony Solution Reference Network Design Guide". You'll find a whole section dedicated to clustering over a WAN.
Thanks so much for the reply. I believe the desire is to simply locate IP phones on the Net and have them somehow home back to the CCM Cluster here at the home site.
What about security of the components, signaling and conversations?
Without something such as IPSec VPN encrypting all traffic (signaling and
voice) you would be very susceptible to eavesdropping and hacks, not to
mention DoS attacks.
Even if you could make this work technically, how useful would it be since
it would be so susceptible?
Suggest reading the following paper: "SAFE: IP Telephony Security in Depth"
We have experienced many IPTelephony implimentations using the internet. Off hand the provider you use for the internet connections can make a big difference. If your sites are all on the same providers backbone it seems to make it better. Just think of it as cell quality, if they can deal with that then it should be fine.
Also you can use the softphone from CIsco or IP Blue's VTGO PC and a laptop wth the Cisco VPN client on a good broadband connection for your road warriors.
I would not recommend not using a VPN to do VOIP over the internet for several securty reasons.
Does this mean you encrypt your phone calls over the PSTN? It's easy pretty easy to plug a but set into your office parks facilities. Why the difference between PSTN and VoIP in regards to encryption?
Thanks very much for the reply. I'm curious on the details though. Where does your telephony infrastructure reside? On your private network or directly on the Internet? If the former, do you have a VPN tunnel between locations? Would you mind providing details regarding how its set up?
On a simpler note, regardless of QoS or Security there is the IP issue. If not using a VPN the callmanager signalling can easilty be handled by using NAT however what about the IP Phones? I am assuming that you are not assigning public IPs to your Phones. Therefore how are you going to get direct IP connectivity from Phone to Phone once a call is established. I think the only way is to use a VPN but even then the setup required negates the whole plug'n'play scenario from any POP on the Net.
(BTW, we have DSL users connecting via VPN using G729a and it works fine....most of the time....)
Hope that Helps.