Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
General Architecture
Release 2.6 - March 2020
8AL90509USAG Ed. 01
Legal notice
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE. To view other
trademarks used by affiliated companies of ALE Holding, visit: http://www.al-enterprise.com/en/legal/
trademarks-copyright. All other trademarks are the property of their respective owners.
The information presented is subject to change without notice. Neither ALE Holding nor any of its
affiliates assumes any responsibility for inaccuracies contained herein.
© 2020 ALE International. All rights reserved. http://www.al-enterprise.com
Disclaimer
While efforts were made to verify the completeness and accuracy of the information contained in this
documentation, this document is provided “as is”. To get more accurate content concerning Cross
Compatibilities, Product Limits, Software Policy and Feature Lists, please refer to the accurate
documents published on the Business Partner Web Site.
In the interest of continued product development, ALE International reserves the right to make
improvements to this documentation and the products it describes at any time, without notice or
obligation.
The CE mark indicates that this product conforms to the following Council Directives:
• 2014/53/EU for radio equipment
• 2014/35/EU and 2014/30/EU for non radio equipment (including wired Telecom Terminal
Equipment)
• 2014/34/EU for ATEX equipment
• 2011/65/EU (RoHS)
• 2012/19/EU (WEEE)
Table of
contents General Architecture
Chapter 1
Reference documents
Chapter 2
Introduction
2.1 Scope.....................................................................................................................................................10
2.2 Overview.............................................................................................................................................10
2.3 High level architecture diagram.................................................................................. 10
2.4 System architecture components overview....................................................12
2.5 Commercial packaging using the OpenTouch..............................................14
2.5.1 Bare metal packages........................................................................................................................ 14
2.5.2 Virtualization packages.................................................................................................................... 15
Chapter 3
Topology aspects
3.1 Overview.............................................................................................................................................16
3.2 Telephony.......................................................................................................................................... 16
3.3 Applications.................................................................................................................................... 19
3.4 Localization..................................................................................................................................... 19
3.5 OpenTouch Networking.......................................................................................................20
Chapter 4
Mobility/Remote Access
Chapter 5
Ecosystem integration (Microsoft, Google)
5.1 Microsoft............................................................................................................................................ 29
5.1.1 On customer premises..................................................................................................................... 29
5.1.2 Cloud integration................................................................................................................................. 33
5.2 Google.................................................................................................................................................. 34
Chapter 6
Openness
Chapter 7
Operation, Administration, Maintenance and Provisioning (OAM&P)
7.1 Overview.............................................................................................................................................41
7.2 OAM&P Functions.................................................................................................................... 42
7.2.1 Configuration Management............................................................................................................42
7.2.2 Device Management..........................................................................................................................43
7.2.3 Performance Management.............................................................................................................43
7.2.4 Fault Management..............................................................................................................................43
7.2.5 Trouble Management........................................................................................................................ 44
Chapter 8
Security
Chapter 9
Licensing
1 Reference documents
2 Introduction
This document describes the general architecture on which OpenTouch is built. It explains the role and
responsibilities of each system components and how they collaborate with one another. It is
recommended as the first document to read for anyone new to OpenTouch and interested into
understanding how it works.
2.1 Scope
This document describes the architecture, as implemented in the OpenTouch solution, release 2.6 or
higher. It corresponds to the commercial offer that is described in details in the Product Offer
documentation available on BPWS.
The following paragraphs provide a high level but complete view of OpenTouch architecture.
2.2 Overview
The OpenTouch communication solution is a client-server software solution providing a broad range of
communication services to enterprises. It is made of various technical components that are combined
and configured to deliver various commercial packages. Its current release addresses Customer
Premises Equipment (CPE) or hosted deployments, for a population of up to several thousand users. It
provides applicative and multimedia services to users over multiple devices, including the range of
OpenTouch Conversation clients and business phones. The available features range from basic audio
communication to multi participant audio/video collaboration sessions. The OpenTouch integrates with
the enterprise eco-system (mail, directory, AAA etc.) and is administered by the OmniVista 8770.
OpenTouch services are available for users who require advanced business telephony features and
whose devices are controlled by the OmniPCX Enterprise. Applicative services are provided by the
OpenTouch.
OpenTouch users are powered by OTC clients, available for desktop and mobile platforms.
SIP
OTC
Mobile OTC OTC
PC Web
8770
HTTPs HTTPs
Published
APIs
OXE devices OpenTouch Server
Applications sub-system
Eco system
NOE/IP- LINK/SIP....
OAM&P sub-
system
SIP trk+
OXE
CSTA/PRS… Communication Infrastructure sub-system
….
Corporate
LDAP
Directories
3rd Pty On-Site
Fixed SIP OTC-PC
OTC-WEB IP-Touch
80x8
S4B + OTC
S4B Pane
Microsoft
Exchange
email Server
email server
Microsoft
OXE + MGW Legacy
DMZ devices
HTTPs Fax Server
(SAGEM T37
Reverse Fax oIP T38)
Google Proxy
OT-SBC
3rd Pty (SIP+Media) OT Servers
Fixed SIP
OTC OTC
OTC Smartphone Desktop Web
extension
ICS ACS
OAM&P sub-sys
device
ACS
Reverse SBC
OXE PCS OXE MGW Proxy
The OpenTouch server is the core of the solution, implementing UC&C services for users The
description of the OmniPCX Enterprise solution and OmniPCX Enterprise telephony devices is out of
the scope of this document.
OpenTouch clients deliver OpenTouch services to users from a vast variety of platforms, mobile and
desktop, and interact with the OpenTouch via web services for applicative services, and SIP for media
services (with OmniPCX Enterprise). The desktop client is complemented with a set of plug-ins that
allow integration to existing Microsoft or Google environments, enabling to easily reach OpenTouch
services from other applications. OpenTouch APIs further enables integration of OpenTouch services in
other métier applications.
The OTC Web client enables anyone, who has been invited, to reach OpenTouch, by simply clicking an
URL, from inside or outside the company (through a Reverse Proxy/SBC in the latter case). It supports
browser based WebRTC VoIP for external participants.
The Alcatel-Lucent OmniVista 8770 Network Management System application is the central
management point for the OpenTouch solution, interacting with OpenTouch and OmniPCX Enterprise
nodes for operation, administration, maintenance & provisioning.
Edge elements, reverse proxy and OpenTouch SBC, enable OpenTouch users with mobility/remote
access, and providing OpenTouch conferences to external participants (corporate and non-corporate
users).
OTMS OTMC
Subsystem 5000 users 15000 users
OXE
8770 + OTCC-SE (optional)
OT core Linux Linux
Messaging only
Software only
the mid to large market segment, aiming at replacing both the existing 8440 and 46x5 external voice
mail systems.
Note: In the early stages of the project, the OpenTouch Message Center was initially named OTVM.
For this reason, the OTVM acronym may still appear in some documents.
The OpenTouch Message Center package is built on OpenTouch technology and benefits from all
OpenTouch enhancements and capabilities (e.g. double release deployment, HA, virtualization
capabilities, management from the OmniVista 8770, performance monitoring) and to leverage voice
messaging developments with local storage voice mail through telephony and web access – no unified
messaging is supported.
Other packages
In addition to pure OpenTouch packages described above, the OpenTouch solution optionally relies on
additional components enabling remote access to OpenTouch services, further described in Mobility/
Remote Access on page 22:
A Session Border Controller (OTSBC)
A reverse proxy – 3rd-party AAPP element, replaces the OpenTouch® Edge Server altogether, as of
R2.2.1
OTMS-V OTMC-V
Subsystem 5000 users 15000 users
OXE
8770 VM + OTCC-SE (optional)
OT core VM Linux Linux
Messaging only
Specific virtualization aspects are discussed in Ecosystem integration (Microsoft, Google) on page 29.
The sizing of an OTMS-V or OTMC-V virtual machine is determined by using OpenTouch Capacity
Planning.
3 Topology aspects
3.1 Overview
This section describes topology aspects of OpenTouch solutions with respect to the commercial
packages defined in Commercial packaging using the OpenTouch on page 14.
An OpenTouch deployment is designed to be associated with one or more OmniPCX Enterprise
Communication Servers.
OpenTouch packages are designed to match possible OmniPCX Enterprise topologies as much as
possible, addressing anything, from single-site deployments to distributed or centralized topologies,
possibly with branch offices.
The OpenTouch Multimedia Services provides UC services to all or to a subset of OmniPCX Enterprise
users, whose endpoints are handled by OpenTouch users.
As a messaging-only version, an OTMC server is destined to be associated to one or more OmniPCX
Enterprise Communication Servers and provide its services to all or to a subset of the corresponding
OpenTouch users.
Topology aspects also include edge elements to handle remote user access / mobility, covered in
Mobility/Remote Access on page 22.
3.2 Telephony
This section focuses on the telephony aspects pertaining to OpenTouch Multimedia Services, referred
to as “OpenTouch server” in the following paragraphs.
The OmniVista 8770 NMS provides unified user management, automatically taking care of dual
configurations in the two servers: the OpenTouch and the associated OmniPCX Enterprise.
The following rules apply in all cases:
• An OmniPCX Enterprise node can only be associated to one OpenTouch server.
• An OpenTouch Multimedia Services can be associated to and provide UC services to users of up to
20 OmniPCX Enterprise nodes, belonging to the same homogeneous sub-network.
• A given OpenTouch Multimedia Services server cannot be associated with independent OmniPCX
Enterprise nodes, or OmniPCX Enterprise nodes of different subnetworks of a supra-network.
Single OpenTouch
A standalone OpenTouch deployment highlighting user declarations can be illustrated with two OXE
nodes belonging to the same sub-network and linked together by an ABC-F link, and an OpenTouch
node interfacing the two OXE nodes through one SIP trunk group per node.
Site 1
Alice Bob
Zoe
Site 2
PSTN OXE C
Carol Ben
Master site
Alice Ben
PSTN OXE A OT B
Zoe
Slave site
PSTN OXE C OT D
Carol David
3.3 Applications
An OpenTouch server provides applications to a number of OmniPCX Enterprise users of any site, up
to the maximum provisioning level of the OT server.
London Oxford
OXE A m OXE A s
New York HQ HA
8770
A C D A2
OTMS B A1
A1 C1 D1
OXE C s OXE C m C
HA WAN
Paris
WAN
D
OXE D m OXE D s
PCS C
C2
D1 D2
C1
In the example above, ICS/ACS applications are provided by OT to the following populations:
• A subset A1 (London) of population A of OpenTouch users
• A subset C1 (Chicago) of population C of OpenTouch users
• A subset D1 (Paris) of population D of OpenTouch users
OpenTouch users may take advantage of local media processing resources.
Mixing OTMS and OTMC on the same OXE node
To address voice mail capacity needs for some customer, deploying an OTMC (green field or NGVM
migration) on the same OmniPCX Enterprise node as the OTMS is possible. As a single PRS link is
supported on an OmniPCX Enterprise node, the PRS component can be active on only one of OTMC
or OTMS. The recommended deployment is to configure voice mail for OpenTouch users on the
OTMC, and make PRS applications available on the OTMC so OpenTouch users benefit from visual
voice mail on their IPTouch phones.
3.4 Localization
Multi-timezone
OpenTouch users may be configured in their own specific timezone, different than that of the system
itself. Multi time zone information on end points is handled differently according to device type:
End points using the NOE protocol (for OpenTouch users): local time information is handled and
provided by the OmniPCX Enterprise system
Managed SIP deskphones: local time information is provided through the device configuration file and
handled locally by the device
3rd party SIP end points: device dependent
Software clients: local time information is provided through the Operating System of the device and
handled locally by the device
Multi-country
In a centralized configuration, the system may have to handle users located in different countries
inducing some constraints: dialing plan, barring, prompts etc. The rules driving OmniPCX Enterprise
multi-country configurations are described in a dedicated presales presentation (available in eBP/
Presales Corner)
In an OmniPCX Enterprise with OpenTouch Multimedia Services deployment, multi-country
configuration is supported for OpenTouch users..
OpenTouch nodes comprising an OpenTouch network may also be deployed in different sites, possibly
in different IP networks to address local autonomy.
Whether networked or not, OpenTouch systems remain associated to their respective OmniPCX
Enterprise Communication Server(s), limited to one OpenTouch node per OmniPCX Enterprise
Communication Server, and through which audio is carried as in simple multi-instance setups. An
OpenTouch network assumes that all OpenTouch nodes are associated to OmniPCX Enterprise nodes
belonging to the same sub-network with a consistent dial plan. Association with OmniPCX Enterprise
nodes belonging to separate OmniPCX Enterprise sub-networks is not supported.
OT Network
OT networking link
OTMS A OTMS B
OXE C OXE D
ABC-F
OXE E OXE F
OXE sub-network
OTMS G
Standalone
4 Mobility/Remote Access
date list. Other reverse proxies are authorized as long as they comply with OpenTouch Conversation
applications requirements, but ALE International provides limited support in this case.
Note: Since OpenTouch 2.2.1, the reverse proxy endorses the role that was previously addressed by
the OTES to enable guest access to conferences. Therefore an OTES is no longer needed.
Session Border Controller (SBC)
The SBC is required whenever VoIP is involved from remote OpenTouch SIP clients (PC, Dual mode
smartphones, etc.), and also to enable WebRTC media for remote guest users joining OpenTouch
scheduled conferences.
The SBC role is to securely relay SIP signaling and media flows between remote clients and LAN
components. It supports encryption and can relay between encrypted traffic on the WAN side to clear
traffic on the LAN. It acts as a WebRTC gateway in the remote conference guests use case, relaying
WebRTC-based signaling and media (SIP-WS and DTLS-SRTP) to SIP/RTP on the LAN.
The SBC does not authenticate SIP endpoints, but rather delegates authentication to the backend SIP
server (OmniPCX Enterprise for OmniPCX Enterprise and OpenTouch devices). All unauthenticated
endpoints are considered untrusted and strictly controlled on all SIP interactions before they
successfully authenticate (typically only REGISTRATION is allowed).
OTSBC (Audiocodes OEM) is the SBC component of the OpenTouch solution. It uses its own
configuration tools.
L3 VPN Gateway
As an alternative to deployments based on the edge elements described above, remote user
deployment can rely on an existing layer 3 VPN tunnel infrastructure, in which case neither the
OpenTouch server nor endpoints are aware of the remote working situation. Network connections
between remote devices and LAN components are direct, and only encapsulated on the WAN portion,
with possible double encryption (HTTPS in IPSec, SRTP in IPsec).
There is no particular recommendation regarding the IPSec VPN solution used for OpenTouch clients.
It is considered an infrastructure layer, independent from our OpenTouch applications. Some
qualification is however recommended for mobile platforms, to ensure that the user experience is not
affected by possibly unstable IPsec VPN connections (due to data connection persistence, standby
mechanisms) that may require the VPN to be re-established frequently with credentials provided by the
user.
conferencing), with discrimination based on ports. It is however possible to use separate SIP public
FQDN for each backend OmniPCX Enterprise and OpenTouch node
DMZ
Public SIP FQDN OXE Configured at OT
server installation
pub-sip-services.company.com (eg post-install
SBC wizard)
Internet oxe.company.com
Connected Users FQDN
pub-ot-services.company.com OpenTouch Private FQDN of OT
Used to reach OT services on
RP LAN (DM, UCWS, SIPs,
APIs…)
ot.company.com OT Private Only exposed on OT on the
FQDNs LAN
conference.company.com conference.company.com
Public FQDN for connected users Web collaboration FQDN
Used by connected OTC clients to
join all OpenTouch server services Enterprise network
Exposed by the Reverse Proxy only
Public FQDNs are configured through the OmniVista 8770, and automatically pushed to remote clients
when they connect to the OpenTouch. End-Users of OpenTouch Conversation client applications only
have to provision the public FQDN of the “connected interface”, to reach the OpenTouch and access
the full set of public FQDNs to use. Participants of OpenTouch conferences must only click the
conference URL containing the “web collaboration FQDN”. The following picture illustrates how FQDNs
are configured.
❸ ❷ ❶
Users providing the bootstrap FQDN that allows IS/IT configuring the Public DNS to allow
OT Admin declaring in 8770 the public
reaching OT in on-site or off-site situation resolution of OT Edge components from the
FQDNs to be used by remote clients
(manually entered through QR code) public Internet
Private DNS
DMZ
ot.company.com → @IP OT
conference.company.com → @IP ACS cluster of OT
oxe.company.com → @IP OXE
Public DNS
pub-sip-services.company.com SBC
OXE
Pub-sip-services.company.com → @IP SBC
Pub-ot.company.com → @IP RP
Conference.company.com → @IP RP
NB: No public DNS entry for ot.company.com oxe.company.com
Remote OTC clients
pub-ot.company.com RP
OT User configures OTC client with:
- Private server FQDN: ot.company.com OpenTouch
- Public server FQDN (Connected Users interface FQDN):
pub-ot.company.com
conference.company.com
Internet
Then all other FQDNs are pushed by the server through ot.company.com
IcsLocator and DM OT Private
conference.company.com FQDNs
This web collab interface FQDN is not
pushed to connected clients who only
Enterprise Network
deal with the « connected clients »
interface FQDN
OTC Web (anonymous)
SBC parameters and association to devices done in 8770 Public URLs of OT Services declared in 8770
For data services (configuration and web services), OpenTouch Conversation clients rely on the
provisioning by the CMS of private/public FQDN pairs to reach OpenTouch applicative services. These
FQDN pairs are retrieved by requesting the IcsServiceLocator Web service. The general principle,
implemented in OpenTouch connected clients, is that failure to resolve the OpenTouch private FQDN,
or inability to connect through the private FQDN, results in the client detecting that it is located on the
WAN and must use public URLs for all data services.
For SIP services, SBC parameters (FQDN, transport protocol, encryption parameters) are provisioned
to clients by the DM, through dedicated configuration parameters of the SIP configuration files of the
clients. Clients with different SIP proxy candidates (typically the OpenTouch for LAN, an SBC for WAN),
manage cycling through different SIP proxy candidates according to the same DNS resolution failure
principle.
For these location mechanisms to work, the FQDN configuration must comply with the following rules:
• The public OpenTouch server FQDN (connected users interface FQDN) must be different from the
private OpenTouch FQDN
• The private FQDN of the OpenTouch server, must be different from the SBC public FQDN
• When access OpenTouch conferences is implemented for remote guest users, the Web
Collaboration FQDN must be offered both on the public DNS (resolving to the RP IP address), and
on the private DNS (where it resolves to the OpenTouch conferencing service IP address). This
ensures that OpenTouch conferences URLs are reachable from the Internet and the Intranet alike
• Other private FQDNs of OpenTouch server and OmniPCX Enterprise must not be published in the
public DNS
In case the IS/IT manages a private domain on the corporate network, that is not exposed on the public
DNS, then the Web Collaboration FQDN of the OpenTouch server cannot be part of this private
domain, because it must be resolved from both LAN and WAN. The other FQDNs of OpenTouch and
OmniPCX Enterprise may be part of the private domain. The DNS server of the LAN must therefore be
able to resolve names of the private domain, and also enable resolution of the public domain to which
the Web Collaboration FQDN belongs to.
Public DNS
pub-sip-services.company.com -> @IP SBC Private DNS
pub-ot.company.com -> @IP RP ot.company.local -> @IP OT
conference.company.com -> @IP RP oxe.company.local -> @IP OXE
DMZ conference.company.com -> @IP ACS cluster of OT
pub-sip-services.company.com
SBC
OXE
oxe.company.local
Internet
pub-ot.company.com RP OpenTouch
ot.company.local → @IP OT
OT private FQDNs
conference.company.com conference.company.com → @IP ACS cluster
Enterprise Network
OXE
pub-sip-services.company.com pub-sip-services.company.com OXE
SBC SBC
Remote Corporate User with
Remote Corporate User with connected clients:
connected clients: oxe.company.com OTC PC
OTC PC OTC Smartphone Connected Users public interface oxe.company.com
OTC Smartphone pub-ot.company.com RP
Connected Users public interface OpenTouch OpenTouch
Internet pub-ot.company.com Internet
RP
Web collaboration public interface
conference.company.com
ot.company.com ot.company.com
DMZ conference.company.com DMZ conference.company.com
LAN LAN
Public FQDNs
OXE
pub-sip-services.company.com
SBC
oxe.company.com
Internet RP
OpenTouch
Guest/External user
Web collaboration public interface
(OTC Web)
conference.company.com
ot.company.com
DMZ conference.company.com
LAN
The following picture illustrates flows between remote users, edge components and LAN components,
in the second use case combining remote worker and guest access cases.
Private DNS
Public DNS Public FQDNs
pub-sip-services.company.com → @IP SBC oxe.company.com → @IP OXE
pub-ot.company.com → @IP RP ot.company.com → @IP OT
conference.company.com → @IP RP conference.company.com → @IP ACS cluster of OT
NB: No public DNS entry for
DMZ Enterprise Network
oxe.company.com and ot.company.com
pub-sip-services.company.com
SBC
OXE
Figure 4.4: Flows between remote users, edge components and LAN components in remote worker
and guest access cases example
From OpenTouch 2.2.1, OpenTouch servers can be networked to extend the scalability and topology
capabilities of the solution, while providing collaboration services for users across the different
OpenTouch nodes (see Topology aspects on page 16).
In such topologies, the reverse proxy must expose both the “connected users” interface and the “web
collaboration” interfaces for the backend OpenTouch server it is associated with, even if only remote
workers are deployed (no external guests). This is necessary for connected users to benefit from full
collaboration features between each other, regardless of the OpenTouch server they are located on.
This configuration can be implemented with a single RP addressing several OpenTouch nodes, or with
several RP for topology or scalability reasons. If a single RP covers several OpenTouch nodes, the RP
configuration for “connected users” and “web collaboration” interfaces is strictly identical to what it is for
a single OpenTouch configuration, with the difference that it must be replicated for each public FQDN of
backend OpenTouch instances.
HTTPS (ics WS + config)
Public FQDNs
OT1 Remote Corporate Users
Joining a conference of an OT2 user
ot1.company.com
conferenceot1.company.com OpenTouch1
Internet
pub-ot1.company.com
conferenceot1.company.com
RP
pub-ot2.company.com Network OpenTouch
conferenceot2.company.com
OpenTouch2
LAN
Public FQDNs
OT1 Remote Corporate Users
Joining a conference of an OT2 user
Site 2
ot1.company.com
conferenceot1.company.com OpenTouch1
pub-ot1.company.com
Internet RP
conferenceot1.company.com
DMZ Site 2
Network OpenTouch
pub-ot2.company.com
RP
OpenTouch2
conferenceot2.company.com
DMZ Site 1
ot2.company.com
conferenceot2.company.com
Site 1
5.1 Microsoft
The figure below represents an architecture overview of all OpenTouch/Microsoft interactions.
The OpenTouch is linked to Microsoft on clients (OpenTouch Conversation/Skype/Outlook/Office) as
well as on the server (OpenTouch/Exchange) on customer premises and cloud configurations, in order
to deliver integrations with MSFT clients and server-based features such as unified messaging,
calendar synchronization or directory look-ups.
Related information is provided in the following chapters.
On-premises, or Cloud
services (Office 365), or
hybrid topologies
Unified Messaging
Meeting sync.
Calendar info.
Lync/Skype Microsoft
Edge OpenTouch Microsoft Microsoft Active
for Business Lync/Skype for
server server Exchange server Directory
server Business server
This integration is made available to OpenTouch users thanks to a unique client in OpenTouch2.2.
With this feature, it is possible to check the availability of a contact (OpenTouch presence, including
phone presence), see the contact’s picture (OpenTouch avatar), start a chat, or an audio call with this
contact, retrieve the OpenTouch status message (mood phrase) and reply to an e-mail with multi-chat
instant messages.
To provide this integration, the OpenTouch Conversation must be installed with the option ‘im provider’
validated. On first start, users are prompted to set OpenTouch Conversation as the default IM Provider
on their local machine (only one IM Provider is active on the machine). The information is set in the
machine registry (HKEY_CURRENT_USER\Software\IM Providers\DefaultIMApp).
Once this has been done, the OpenTouch Conversation starts a specific executable:
OTCPCLyncIMProvider.exe that implements a set of Microsoft COM APIs. Outlook (or another Office
application), on application startup, dialogs with the IM Provider using these COM API
(UCCollaborationLib namespace: ILyncClient, IUCOfficeIntegration, IAutomation, IContact, etc.) in
order to discover the features.
Interfaces are also implemented so that IM Provider delivers events to Outlook or Office applications
(Contact presence update).
The link between the IM Provider and the OpenTouch Conversation is also defined though the COM
interface and allows the IM Provider to receive contact information and request contact information
(presence, avatar), starting a chat, an audio, video session etc.
5.1.1.1.2 Outlook integration
The OpenTouch Conversation is delivered with two add-ins to integrate to Outlook (OL2010, 2013):
Conversation add-in
Messaging, contact synchronization and telephony features
Cannot be installed independently of the OpenTouch Conversation
Add-in built using the VSTO development tool: .NET based add-in.
This add-in is built on top of Outlook APIs (Outlook Object Model) and allows to manage e-mails,
appointments, contacts etc. within the Outlook client. The Outlook Object Model is described here.
Caution:
This add-in has no direct connection to the OpenTouch server: all requests go through the OpenTouch
Conversation application via the HTTP localhost proprietary API (the OpenTouch Conversation delivers an
HTTP localhost for add-ins). The OpenTouch Conversation must be running to deliver features.
This add-in is hosted in OutlookSynchroContact.dll and is in charge of:
• Messaging features:
• Play a voice message on phone
• Record and send a voice message
• Display the voice mail icon in front of voice messages (based on the template field)
• Analyze specific e-mail information and SMTP headers (ecc sender ID, message ID) in order to
call back the sender or play the message of the currently selected e-mail
• Contact synchronization
• The add-in retrieves all local Outlook contacts and provides information to the Windows contact
service through a proprietary API. The OpenTouch Conversation can display local contact results
in its directory lookup window through a dialog with the contact service.
• Telephony features
• When the OpenTouch Conversation runs in IM Provider mode, behaviors are limited to display
actions on right click menus. Main features are delivered through the persona card.
• When the OpenTouch Conversation is not the IM provider (for instance: Skype is the IM
provider), the add-in integrates to the Outlook ribbon (thanks to Outlook APIs) to offer options
such as: make a call, start a video call or start IM. The action buttons are available for the
currently selected e(mail, contact etc.
Conferencing add-in
This add-in delivers conference management: end-users can add/modify/remove conferences,
identified as Outlook appointments.
This add-in also allows to join conferences on line from:
• The body of the appointment (HTTP link)
• A custom ‘reminder’ window, built in the add-in
• The join online button available from the Outlook ribbon
This add-in is built on a 3rd party applicative framework: addin Express.
It is hosted in the MTWOutlookConfAddin.dll file.
The add-in relies on Outlook APIs to integrate into Outlook (ribbon, appointments, etc.) and is directly
connected to the OpenTouch server (no need to have an OpenTouch Conversation running) to manage
conferences and their participants.
The link between the add-in and the OpenTouch server is done with the OpenTouch/ACS VCS API.
The title, date, time, roster of participants are synchronized between Outlook and the OpenTouch
server.
This component currently has several limitations that will be addressed in future releases:
• No support of reverse proxy, in other words, this requires the computer to use VPN to connect to the
corporate network
• No support of Kerberos SSO, users are asked to enter their OpenTouch applicative password to use
the plug-in
5.1.1.1.3 Skype For Business integration
Selected on installation of the OpenTouch Conversation, Skype For Business integration runs on the
two SFB and Lync systems. This mode allows a user to use SFB for contact management/presence,
Instant Messaging and to use OpenTouch Conversation features (mainly remote call control on a
Skype contact, using the deskphone) through actions available on SFB or on a pane displayed at the
bottom of SFB. The OpenTouch Conversation can retrieve SFB contacts, make directory look-ups in
the Active Directory and start IM sessions using the SFB windows.
When implementing this solution, it is important to ensure that ALL users are configured alike: there
cannot be users using an OpenTouch Conversation in standalone mode and others integrated with
SkypeFB. This would lead to undelivered Instant Messages and bad user experience.
Conversation history
• Start IM in Lync/SFB
• Offering a COM interface to the OpenTouch Conversation so that the OpenTouch Conversation
can implement the corresponding features
• IM Provider
• The IM Provider has been adapted in OpenTouch2.2 to make it context transparent (whether the
OTC is running in standalone or in Skype integration mode).
• In the Skype mode, when a user clicks send IM from persona card, a Skype IM session is
created, while clicking start audio call starts the call from the OpenTouch Conversation. This is
managed by the OpenTouch Conversation application. The IM provider has no direct link on the
LyncWrapper.dll for instance.
The Skype For Business integration mode must be defined in the OmniVista 8770 through the
declaration of a Skype For Business server (IT servers). The consequences of doing this are:
• OpenTouch mobile applications do not offer to send Instant Message (it would have been done on
the OpenTouch when all users use Skype)
• Some parts of the OpenTouch Conversation (MDW) based behaviors in the information is set in the
OmniVista 8770 (and provided through OpenTouch REST API)
Adaptations have been made in the WireAl/Exchange Connector in order to support an Exchange On
Line server.
PUBLIC DNS PRIVATE DNS
Pub- ot.company.com ot.company.com
Enterprise network
EWS requests
HTTP Proxy My IC Phone
EWS notifications
Reverse Proxy
pub- ot.company.com:443/<UnifiedMessagingURL
>
DMZ OpenTouch
pub- ot.company.com:443/<CalendarSycnchroURL
> ot.company.com:443 Multimedia Services
CMS DB
- - Public/ Private FQDNs
Public FQDNs Private FQDNs - - HTTP proxy
- - Exchange mode
5.2 Google
Unified Messaging is now available on Gmail.
This connection between the OpenTouch and Google Servers is done with OAUTH2 authentication call
flows. For this purpose, the IT Manager must manually configure multiple parameters in Google to
define an application with a secretID/key that must be pushed to the 8770 (IMAP mail server added to
a Gmail server, and an OAUTH2 authentication to set the Gmail application ID and key).
This configuration is described in the Messaging FSD (8AL_22030_3601_BEZZA) – chapter 6.5.
Voice mail deposit is done using the SMTP protocol. Getting voice mails and Message Waiting
Indicator (MWI) is done using the IMAP protocol.
Google does not notifying the OpenTouch server of new voice mails/e-mails , consequently a polling
mechanism is put in place (with a default timer of 60 second per mailbox) to verify the arrival of new
voice messages (and more generally to monitor changes in the mailbox status: deleted voice message,
read/unread message(s) etc.). This polling mechanism implies a restriction of the number of users with
a Gmail voice mailbox per OpenTouch server. The limit is currently set to 500 users, when the default
polling period is used. It is possible to adjust the polling period to reach higher capacities.
This polling mechanism removes the need to define a public URL for the OpenTouch server, as the
OpenTouch server is always at the origin of any request regarding Google whether it relies on the
IMAP or SMTP protocol.
Ports 587 (default SMTP) and 993 (default IMAP) must be opened to the internet for the OpenTouch
server to send SMTP & IMAP requests.
It may occur that an SMTP relay must be used (a common setup of IT is to define a single point in the
network, authorized to send outgoing SMTP requests: the SMTP relay). In this case, the SMTP relay
can be defined in the OmniVista 8770 (SystemServices/Applications/Messaging/VPIM).
Voice message access from any device and client application, anywhere.
User centric: same message state across all devices and client applications.
A
Voice message
deposit (A to B)
B
Message deposit / SMTP
User is busy
OpenTouch
or absent
server
Message retrieval / IMAP
Deskphone Smartphone
PC
6 Openness
6.1.1 Architecture
As described below, the “exposure framework” is made of the following components:
• An http server (apache/muxer)
• A Tomcat server hosting the chameleon web app
• The chameleon web app implementing the business logic of the API through some dedicated
modules, such as the “rest enabler” and the “openness controller”
The “exposure framework” is part of the OpenTouch software stack and runs on the OpenTouch server.
Public User
3rd party CRUD api
3rd party
3rd party
app 8770 MyIc-PC MyIc-mobile OTC
Public
functional api
Private
functional Private
Private config
api ACS
api
api
http srv
Chameleon/Tomcat Exposure
framework
Openness Rest
controller enabler
Infra components
OTMS flexlm Infra components
ACS
6.1.2 Compatibility/versioning
The evolutions of OpenTouch and 3rd party applications are not synchronous (roadmaps are different).
This is why it is important to guaranty a certain level of stability of the public API across OpenTouch
releases.
The compatibility of a public OpenTouch API is guaranteed for a minimum of three OpenTouch
releases. Therefore, if an API must evolve and if backward compatibility cannot be maintained, the
existing API must be left untouched and a new API must developed to introduce the required evolution.
The old API remains part of the OpenTouch for the two next releases, at least.
6.1.3 Security
A 3rd party application must be logged to the OpenTouch (user or administrator account) before it is
authorized to call the public API.
A web service dedicated to the user/admin authentication is published. This web service serves
internal authentication (internal OpenTouch user referential) as well as external authentication (the
enterprise LDAP server) with no difference for the third-party application which requests it. The only
difference is that the account login/password to enter by the end user is the login/password managed in
the OpenTouch/OAMP user/admin object for internal authentication or the OpenTouch/OAMP user/
admin object, managed outside the OpenTouch for external authentication.
In both cases, the authentication web service returns a session identifier. The third-party application
must set this session identifier as a parameter with any further request on the public OpenTouch API.
The chameleon systematically controls this session identifier.
The data transported in the requests is secured by HTTPS.
Take call
Release call
Note:
OpenTouch2.2 adds possibility to call a
number from any OmniPCX Enterprise
device (not necessarily being a device of an
OpenTouch user)
OpenTouch2.2 also brings the VCARD relative URL path on every API where a participant, a contact is
described. This gives possibility to 3rd party developer to access rich data about the contact including
photo, company name, job title etc.
7 Operation, Administration,
Maintenance and Provisioning
(OAM&P)
7.1 Overview
OAM&P (Operation, Administration, Maintenance and Provisioning) corresponds from a system
architecture point of view to a particular sub-system of the OpenTouch. The main objective for OAM&P
is to provide FCAPS management functions (Fault, Configuration, Alarm, Performance and Security).
OAM&P highly contributes to enhancements in the level of serviceability, leveraging the “Easy-admin”
approach. The OAM&P sub-system focuses on:
Configurability
OAM&P offers an intuitive management tool providing:
• Consistent look and feel and consistent ergonomic views. Homogeneity and clear identity of the
active function and scope.
• Graphical presentation views of the well-known domains to configure (Users, Topology, Security,
Applications, etc. ) rather than a list of obscure software components.
• Pre-set default values for each parameter, where possible
• Pre-set automatic values calculation or recalculation
• Presentation views depending on the expertise level of administrators (role based management)
• Minimized numbers of data elements to manage
The single graphical interface is provided by the OmniVista 8770 management platform. The
OmniVista 8770 uses OpenTouch configuration management APIs, based on the web services
technology.
Deployability
This solution aims at simplifying software installation (setup) or re-installation (setup/migration) of all
the OpenTouch relevant modules on one physical server. Device management contributes to increase
the level of deployability by providing automatic device software installation/update on the devices
themselves, as well as automatic device configuration with zero touch deployment.
Device management is “hardware” agnostic, meaning that for administrators, management of devices
does not require any hardware identifier. For deskphones, device management is based on the MAC
address, but the MAC is auto-discovered when users plug their device. For mobile phones and
softphones, it is based on the user login (when the user logs to the OpenTouch application), and does
not require any hardware id.
Maintainability
This covers preventive maintenance and corrective maintenance.
For preventive maintenance, OAM&P:
• Provides and publishes usage metrics of the level of capacity utilization (Hardware, Operating
System, Virtualization, Application services, Communication Services)
• Provides and publishes VoIP metrics to measure voice over IP quality (for the OmniPCX Enterprise
only).
For corrective maintenance, OAM&P (also based on the OmniVista 8770 for the GUI interface):
• Detects the fault, evaluates the severity and sends alarms to the administrator in case of troubles
• Specifies precisely where the fault is
• Allows reconfiguration or modification of the network in a way that minimizes impact
7.2.5.2 Backup-Restore
The backup Restore Utility automatically saves configuration and applicative data on a daily basis as
well as on request on a live production system. It is also used to restore data but the restoration
operation causes an interruption of service.
8 Security
8.1.1 Authentication
Authentication covers the functional mechanisms that allow the OpenTouch server to check that it
communicates with confirmed trusted user/admin/devices/servers.
Users/Admin authentication
The current authentication methods supported for user/admin authentication are:
• Login/password checked against the internal LDAP database
• Login/password checked against the external authentication referential, allowing to leverage the
corporate authentication database. Radius or LDAP are supported, depending on the corporate
database to access.
• Single Sign On (SSO) based on Kerberos (only supported on MSFT PC platforms), where the
OpenTouch solution uses the Windows session authentication as a way to silently authenticate the
end-user
Devices and Servers authentication
Digital certificates are used to authenticate servers whenever secure flows are used between different
components. These flows are typically based on SSL/TLS and consist in:
• SIP-TLS for SIP-based communications security (only between clients and an SBC, in remote
working cases)
• HTTPS for the security of applications and administration flows
• Other protocols at stake in the solution (LDAPS, IMPA4S…)
The TLS protocol requires at least that the server host (OpenTouch in most IP flows) has a digital
certificate. The OpenTouch server generates a self-signed certificate at installation for TLS purposes,
but this certificate can be replaced by another certificate emitted by the customer PKI, if the IS/IT policy
requires so.
default after installation. At any moment, the administrator can access a Certificate Management tool
via the WBM in order to check, manage, import or export the server certificate of the OpenTouch as
necessary. The OpenTouch server certificate is automatically deployed to the OpenTouch devices fleet
to perform server authentication.
OXE OTMS/OTMC
External
Fax Server
Media Server
NOE RTP
SSM-RM MSM-RM
Media keys
signaling protocol
SIP
NOE-IPSec
SRTP
(terminals to
media server)
40x8
NOE Phone
SRTP
(peer to peer calls)
RTP
OTC PC (No encryption for OTCT Softphone)
9 Licensing
The OpenTouch (OTMS, OTMC) relies on a 3rd party license server named FlexLM and provided by
the Flexera software company for internal license control. It has been tuned for ALE International
needs and can be either embedded in the OpenTouch server itself or provided as an external/
centralized license server for virtualized solutions.
To ensure protection against piracy, the license file is signed by a host ID, which is a kind of hardware
ID. The license file is valid only if the given hardware device is connected or present in the server. The
following host IDs are supported:
• Non virtualized OpenTouch: the ALUID, a hardware fingerprint of the physical server running the
OpenTouch, is used. It depends on the motherboard and on the network cards. If one of these items
is changed, a new license file must be signed with this new ALUID.
A tool, getaluid, included in the OpenTouch software delivery is used to determine the ALUID of a
server.
The ALUID is not a generic host ID provided by Flexera but an OmniPCX Enterprise proprietary
“vendor defined host ID”.
The ALUID is a 32 hexadecimal digits string of the form:
ALUID=81D3C23B644ACB118DE6D4972012A1B2
• Virtualized OpenTouch: The ALUID cannot be used, as the ALUID of the physical host is
meaningless (a virtual machine can run on different physical hosts) and the ALUID of the virtual
machine can be easily spoofed.
• If the associated OmniPCX Enterprise is connected to the Cloud, the MAC address is used.
A license file signed by a MAC address includes a server line as follows:
SERVER this_host 00095BECEEF2 27000
Where 00095BECEEF2 is the MAC address (12 hexadecimal digits)
For green field, it is recommended to use the embedded license server. An external license
server can be used in case of upgrade because there is no easy way to switch from an external
license server to an embedded one.
• If the associated OmniPCX Enterprise is not connected to the Cloud, the signature license file
relies on the dongle ID. This is a regular host ID provided by Flexera. This kind of signature
requires an Aladdin dongle to be physically connected to a USB port of the server running the
OpenTouch. A license file signed by a USB dongle ID includes a server line as follows:
SERVER this_host FLEXID=9-12345678 (the number nine, followed by a hyphen and 8
hexadecimal digits).
ALUID
Embedded
OT FlexLM
Linux
This topology is applicable for OpenTouch Multimedia Services and OpenTouch Message Center.
VMware HA
Vmware HA
USB dongle 1 USB dongle 1
USB dongle 2 USB dongle 2
To implement a VMware stretched cluster some pre-requisites must be met, among which: an inter
datacenter delay below 5ms, a minimum 622 Mbps redundant network link, less than 100km between
datacenters. Refer to VMware for the exhaustive pre-requisites list.
Additional VMware documents may be consulted for more information:
• Stretched_Clusters_and_VMware_vCenter_Site_Recovery_Manage_USLTR_Regalix.pdf
• vSphere5.0 Metro Storage Cluster Case Study.pdf
This has no impact for ALE International servers (either at product level or at quotation / ordering level),
but some warnings must be considered.
This topology allows:
• To enable OmniPCX Enterprise geographical redundancy, while keeping OpenTouch system local
redundancy. This capability is however limited to a layer two connectivity between the two
datacenters.
• To provide layer 2 geographical redundancy to an OpenTouch system, based on VMware HA and
stretched cluster. Today, this is the only available solution to provide spatial redundancy for a
virtualized OpenTouch system.
Three dongle solution
This solution allows to retain full OmniPCX Enterprise spatial redundancy capabilities. However it
cannot provide geographical redundancy to the OpenTouch system, be it an OpenTouch Multimedia
Services or OTMC.
This solution does not require any specific (network/storage) infrastructure, nor has any product
impacts. It is available regardless of dongle implementation, the FlexLM choice (internal or external),
the OpenTouch VMware HA and, in case of an OTMS-V, remains available if the OmniPCX Enterprise
is deployed on a physical platform.
Example of a redundant topology with OTMS-V VMware HA, internal FlexLM server and USB dongle
implementation:
OT & VMware
OXE CS A OXE CS B FlexLM 2
Flex 1
HA
Linux Linux
VM#2 VM#2
OK Linux Linux
VM#1 VM#4 VM#5
Hypervisor
Crash Hypervisor
USB dongle 3
Hypervisor
USB dongle 2
USB dongle 1 WAN
Data Center A Crash Data Center B
However this topology has an impact at ordering/licensing level and demands a dedicated manual
process to be carried out:
Based on quotation, Actis natively generates two dongles: dongle 1 and dongle 2.
Dongle 3 must be ordered independently via eBuy.
The BP must sign the license server file(s) with dongles 1 and 2, based on the selected dongle
implementation (USB or USB/IP): the license file xxx.ice associated with dongle 2 must be stored on
the datacenter B FlexLM server.
The BP creates an eSR to perform a license rehosting (replacement of dongle 2 by dongle 3).
License server file(s) must be generated again, but signed by dongles 1 and 3 and then stored on
datacenter A FlexLM servers.
In this process, it is assumed that dongles 1 and 3 are localized in datacenter A, hosting the
OpenTouch system, and dongle 2 in datacenter B (refer to the above example).
At the end of this process, dongles 1 and 3 are the ones specified by eBuy for this offer and therefore
the ones used to sign any updated license files in case of add-ons / upgrade. Dongle 2 and the
associated license file are only used to verify the OmniPCX Enterprise virtual CPU-ID and therefore
does not need to be changed in case of an add-on / upgrade.
• The license item exists but is associated to an expired validity date (the CMS considers the license
as equal to zero). The grace period applies to the faulty item only.
• The OpenTouch release is obsolete (ICE_RELEASE or OTVM_RELEASE < installed version). The
grace period applies for this item only, and rights associated to other licenses can still be configured
until expiry of the grace period on this ICE_RELEASE or OTVM_RELEASE item. At the end of this
grace period, rights associated to all other license items are removed.
Note:
An exception may occur if major changes between two releases require so. Not all versions accept running
with an older license, even during the grace period.
• The UCAAS license (ICE_UCAAS) are missing. The grace period applies to all license items
controlled by the CMS Audit.
• If ICE_GR_LOCK is different from 2 and release version is 2.0/2.0.1/2.0.2 (more precisely between
implementation of PR463104 which may be delivered in 2.0.1 only, and implementation of SR
463159 which stops this verification). In this case the grace period applies for all license items
controlled by the CMS audit.
If the license server is not accessible at all (e.g. no network connection), the CMS audit is not run but
no configuration of controlled items is possible from the OmniVista 8770. Licenses are however not put
switched to inconsistent, and the grace period is not applied. The CMS raises an alarm on its inability
to reach the Flex server: Skip license Audit : Flexlm is not available.
Technical license Reason for Behavior during grace Behavior after grace
items inconsistency period period expiry
ICE_RELEASE License version < No restriction Predefined rights
installed software removed for all users
version
OTVM_RELEASE License version < No restriction Predefined rights
installed software removed for all users
version
ICE_GR_LOCK Not set to 2 on releases No new rights can be Predefined rights
2.0.x assigned removed for all users
ICE_OXE_ACU_USER License missing or No new user can be Deletion of "ICE OXE
license value below created ACU USER" option for
configured level randomly selected
overused users
Technical license Reason for Behavior during grace Behavior after grace
items inconsistency period period expiry
ICE_UNIV_CLIENT License missing or No desktop or mobility Deletion desktop and
license value below option can be enabled mobility options for
configured level for any user randomly selected
overused users
ICE_DESKTOP_STD License missing or No desktop option can Deletion of desktop
license value below be enabled for any user option for randomly
configured level selected overused
users
ICE_OFF_SITE_MOB_ License missing or No mobility option can Deletion of mobility
STD license value below be enabled for any user option for randomly
configured level selected overused
users
ICE_DESKTOP_MM License missing or No desktop option can Deletion of desktop
license value below be enabled for any user option for randomly
configured level selected overused
users
ICE_OFF_SITE_MOB_ License missing or No mobility option can Deletion of mobility
MM license value below be enabled for any user option for randomly
configured level selected overused
users
Technical license Reason for Behavior during grace Behavior after grace
items inconsistency period period expiry
ICE_UCAAS License missing No new right can be All predefined rights
assigned to anyone deleted for all users
Note:
During a grace period, you cannot create a user from a predefined profile containing an option marked as
inconsistent user-oriented license. For example, if the license item ICE_UNIV_CLIENT is inconsistent, you cannot
created a user from a profile allocating universal client and voice mail rights to a user.
Collab
OT Standard Users
OmniPCX Enterprise Basic telephony
hardphone
(OXE panic mode)
VM, AA...
Adv Telephony
Collab
Anonymous users
OTC Web Reach scheduled conf
Legend:
: available
: not available
Basic Telephony: ability to place a call (dial-out 1 pcc), receive a call, call a conference bridge
Adv Telephony/UC: make ad-hoc conference, groupware, voice mail, manage routing profiles, switch
device...
Collab: IM, Presence, Access data conferences, create scheduled conference...
Note:
With a centralized license server, where the virtual CPU-ID item is stored in the OpenTouch license server, the
OmniPCX Enterprise goes to a degraded mode when the virtual CPU-ID item cannot be verified. The OmniPCX
Enterprisechecks this item every few hours, and on failure enters a degraded/panic mode.
When the system detects an inconsistency in the OPS files, it suspects illegal use, the Panic flag is set
up and the system runs in degraded mode. The steps for this degraded mode are:
• Action 1 (as soon as illegal use is detected) :
• Displays a message on the attendant set as soon as it enters idle mode, with a mandatory order
for the attendant to acknowledge this message.
• Deletes the screen of the terminal system, and displays the incident message:
Acknowledgement is mandatory.
• Stores the incident in the incidents file.
• Continuously rings an alarm set.
• Several management commands can no longer be launched and result in the following error:
Software protection error.
• Action 2 (four hours later) : Displays a predefined string on all sets with a display.