Oracle Acme Packet outbound configuration for ClearIP

This documentation provides instructions on how to configure an Oracle Acme Packet Session Border Controller (SBC) with ClearIP for outbound calls. After the SBC has been configured according to these instructions, then SIP INVITES can be sent to ClearIP.

The diagram below provides an overview of how ClearIP is configured as a SIP end point with an SBC. A SIP INVITE is sent from the CFS (Call Feature Server) to the SBC. Then the SBC forwards the INVITE to ClearIP for services, such as fraud and robocall control.

If no fraud is detected, ClearIP returns a SIP 404 No Route Found message and the SBC forwards the INVITE to the original destination. If fraud is detected, ClearIP responds with a SIP 603 Decline message indicating the call should be blocked. The SBC forwards the SIP 603 Decline message to the CFS. ClearIP can also return a SIP 302 Moved Temporarily message with an alternative destination if the call should be diverted.

Outbound network call flow

Outbound network call flow

This documentation does not include SBC installation instructions, such as installing SBC VMware image, configuring network interfaces, etc. This work should be done by Oracle technical support.

We have provided separate instructions for Oracle Acme Packet SBC configuration for STIR/SHAKEN with ClearIP.

1. Outbound scenarios

ClearIP can be used for STIR/SHAKEN authentication, toll fraud prevention for outbound call scenarios and used for STIR/SHAKEN verification and robocall prevention for inbound call scenarios. In the inbound scenarios, SBC directly forwards the calls from source devices to ClearIP. In the outbound scenarios, SBC forwards the calls to ClearIP before sending them out to destinations. This documentation only discusses the outbound scenarios.

This section describes one outbound scenario that is commonly used by telephone service providers.

Original scenario without ClearIP

Original scenario without ClearIP

Key components

  • Core Network — The network inside the domain of the telephone service provider.
  • Access Network — The network outside the domain of the telephone service provider.
  • Call Feature Server — The server of the telephone service provider that provides routing, billing, etc. features.
  • SBC Internal Interface — The internal SIP interface configured on the SBC to connect to the Core Network.
  • SBC External Interface — The external SIP interface configured on the SBC to connect to the Access Network.
  • Network Gateway — The device in the Access Network that sends SIP calls from the telephone service provider.

Routing rules

  • CFS-L — Local policies configured on the Call Feature Server.
  • SBC-L1 — Local policies configured on the SBC for the SBC Internal Interface/Core Network.
  • SBC-L2 — Local policies configured on the SBC for the SBC External Interface/Access Network.

Note: There may be only one set of SBC local policies. We separate it into two sets of policies logically.

Data flow

  1. F1 — The Call Feature Server sends calls to the SBC Internal Interface based on the local policies CFS-L configured on the Call Feature Server.
  2. F2 — The SBC Internal Interface forwards the calls to the SBC External Interface based on the local policies SBC-L1 configured on the SBC for the SBC Internal Interface.
  3. F3 — The SBC External Interface forwards the calls to the Network Gateway based on the local policies SBC-L2 configured on the SBC for the SBC External Interface.

Proposed scenario with ClearIP

Proposed scenario with ClearIP

Key components

  • Core Network — The network inside the domain of the telephone service provider.
  • Access Network — The network outside the domain of the telephone service provider. ClearIP is typically in the Access Network.
  • Call Feature Server — The server of the telephone service provider that provides routing, billing, etc. features.
  • SBC Internal Interface — The internal SIP interface configured on the SBC to connect to the Core Network.
  • SBC External Interface — The external SIP interface configured on the SBC to connect to the Access Network.
  • ClearIP — The TransNexus STIR/SHAKEN, toll fraud prevention, and robocall prevention solution.
  • Network Gateway — The device in the Access Network that sends SIP calls from the telephone service provider.

Routing rules

  • CFS-L — Local policies configured on the Call Feature Server.
  • SBC-L1 — Local policies configured on the SBC for the SBC Internal Interface.
  • SBC-L2’ + SBC-L2 — Local policies configured on the SBC for the SBC External Interface. It includes the routing policy SBC-L2’ for ClearIP and the original local policies SBC-L2 configured on the SBC for the SBC External Interface.

Note: It may not be necessary to change SBC-L1 and SBC-L2.

Data flow

  1. F1 — The Call Feature Server sends calls to the SBC Internal Interface based on the local policies CFS-L configured on the Call Feature Server.
  2. F2 — The SBC Internal Interface forwards the calls to the SBC External Interface based on the local policies SBC-L1 configured on the SBC for the SBC Internal Interface.
  3. F2’ — The SBC External Interface forwards the calls to ClearIP for fraud detection based on the local policies SBC-L2’ configured on the SBC for the SBC External Interface for ClearIP.
  4. F2’’ — ClearIP sends a response to the SBC External Interface. If fraud is detected, then a SIP 603 Decline is sent to the SBC. The SBC External Interface forwards the SIP 603 Decline to the Call Feature Server and finishes the calls. If fraud is not detected, then a SIP 404 Not Found is sent to the SBC.
  5. F3 — The SBC External Interface forwards the calls to the Network Gateway based on the local policies SBC-L2 configured on the SBC for the SBC External Interface.

2. Basic configuration

This section provides the basic standard configuration for an SBC.

Network diagram

Network diagram

Network interface configuration

To access ClearIP by its FQDN (Fully Qualified Domain Name), sip.clearip.com, there must be at least one DNS server configured. The DNS server should be configured in the network-interface.

Important configuration items:

1.dns-ip-primary8.8.8.8
2.dns-ip-backup18.8.4.4

In the sample configuration below, Google is used as the DNS service provider. Google Public DNS IPv4 servers are configured on the external network interface, M11, which connects to the Access Network. Other DNS servers can be used too. For example, an internal DNS server of the telephone service provider in the Core Network can be configured on the internal network interface, M10, which connects to the Core Network. The desired DNS server IP addresses should be configured.

A previously existing network interface should be configured as shown below.

Highlighted items should be different from the default values. Non-highlighted values can be left as the SBC default values. Some highlighted values such as the name, ip-address, etc. should be left as the previously existing values.

  • Sample network configuration
    network-interface
                    name                          M10
                    sub-port-id                   0
                    description
                    hostname
                    ip-address                    172.16.4.157
                    pri-utility-addr
                    sec-utility-addr
                    netmask                       255.255.0.0
                    gateway                       172.16.4.1
                    sec-gateway
                    gw-heartbeat
                        state                     disabled
                        heartbeat                 0
                        retry-count               0
                        retry-timeout             1
                        health-score              0
                    dns-ip-primary
                    dns-ip-backup1
                    dns-ip-backup2
                    dns-domain
                    dns-timeout                   11
                    hip-ip-list
                    ftp-address
                    icmp-address
                    snmp-address
                    telnet-address
                    ssh-address
                    signaling-mtu                 0
                network-interface
                    name                          M11
                    sub-port-id                   0
                    description
                    hostname
                    ip-address                    192.168.1.157
                    pri-utility-addr
                    sec-utility-addr
                    netmask                       255.255.0.0
                    gateway                       192.168.1.1
                    sec-gateway
                    gw-heartbeat
                        state                     disabled
                        heartbeat                 0
                        retry-count               0
                        retry-timeout             1
                        health-score              0
                    dns-ip-primary                8.8.8.8
                    dns-ip-backup1                8.8.4.4
                    dns-ip-backup2
                    dns-domain                    clearip.com
                    dns-timeout                   11
                    hip-ip-list
                    ftp-address
                    icmp-address
                    snmp-address
                    telnet-address
                    ssh-address
                    signaling-mtu

Realm configuration

The SBC is configured with two realms, CoreRealm and AccessRealm. They are mapped to the Core Network and Access Network, respectively. The Core Network includes trusted devices of the telephone service provider. The Access Network includes the devices outside the trusted network, customer devices, and provider devices.

Note: ClearIP can be treated as a trusted device in the Core Network or as a normal device in the Access Network. For the outbound scenario, ClearIP is treated as a device in the Access Network. You can either create a new realm or use an existing realm for ClearIP.

  • Sample realm configuration
    realm-config
                    identifier                    CoreRealm
                    description
                    addr-prefix                   0.0.0.0
                    network-interfaces            M10:0
                    mm-in-realm                   disabled
                    mm-in-network                 enabled
                    mm-same-ip                    enabled
                    mm-in-system                  enabled
                    bw-cac-non-mm                 disabled
                    msm-release                   disabled
                    qos-enable                    enabled
                    generate-UDP-checksum         disabled
                    max-bandwidth                 0
                    fallback-bandwidth            0
                    max-priority-bandwidth        0
                    max-latency                   0
                    max-jitter                    0
                    max-packet-loss               0
                    observ-window-size            0
                    parent-realm
                    dns-realm
                    media-policy
                    media-sec-policy
                    srtp-msm-passthrough          disabled
                    in-translationid
                    out-translationid
                    in-manipulationid
                    out-manipulationid
                    manipulation-string
                    manipulation-pattern
                    class-profile
                    average-rate-limit            0
                    access-control-trust-level    none
                    invalid-signal-threshold      0
                    maximum-signal-threshold      0
                    untrusted-signal-threshold    0
                    nat-trust-threshold           0
                    deny-period                   30
                    cac-failure-threshold         0
                    untrust-cac-failure-threshold 0
                    ext-policy-svr
                    diam-e2-address-realm
                    symmetric-latching            disabled
                    pai-strip                     disabled
                    trunk-context
                    early-media-allow
                    enforcement-profile
                    additional-prefixes
                    restricted-latching           none
                    restriction-mask              32
                    accounting-enable             enabled
                    user-cac-mode                 none
                    user-cac-bandwidth            0
                    user-cac-sessions             0
                    icmp-detect-multiplier        0
                    icmp-advertisement-interval   0
                    icmp-target-ip
                    monthly-minutes               0
                    net-management-control        disabled
                    delay-media-update            disabled
                    refer-call-transfer           disabled
                    refer-notify-provisional      none
                    dyn-refer-term                disabled
                    codec-policy
                    codec-manip-in-realm          disabled
                    constraint-name
                    call-recording-server-id
                    xnq-state xnq-unknown
                    hairpin-id                    0
                    stun-enable                   disabled
                    stun-server-ip                0.0.0.0
                    stun-server-port              3478
                    stun-changed-ip               0.0.0.0
                    stun-changed-port             3479
                    match-media-profiles
                    qos-constraint
                    sip-profile
                    sip-isup-profile
                    block-rtcp                    disabled
                    hide-egress-media-update      disabled
                    tcp-media-profile
                    subscription-id-type          END_USER_NONE
                realm-config
                    identifier                    AccessRealm
                    description
                    addr-prefix                   0.0.0.0
                    network-interfaces            M11:0
                    mm-in-realm                   disabled
                    mm-in-network                 enabled
                    mm-same-ip                    enabled
                    mm-in-system                  enabled
                    bw-cac-non-mm                 disabled
                    msm-release                   disabled
                    qos-enable                    disabled
                    generate-UDP-checksum         disabled
                    max-bandwidth                 0
                    fallback-bandwidth            0
                    max-priority-bandwidth        0
                    max-latency                   0
                    max-jitter                    0
                    max-packet-loss               0
                    observ-window-size            0
                    parent-realm
                    dns-realm
                    media-policy
                    media-sec-policy
                    srtp-msm-passthrough          disabled
                    in-translationid
                    out-translationid
                    in-manipulationid
                    out-manipulationid
                    manipulation-string
                    manipulation-pattern
                    class-profile
                    average-rate-limit            0
                    access-control-trust-level    none
                    invalid-signal-threshold      0
                    maximum-signal-threshold      0
                    untrusted-signal-threshold    0
                    nat-trust-threshold           0
                    deny-period                   30
                    cac-failure-threshold         0
                    untrust-cac-failure-threshold 0
                    ext-policy-svr
                    diam-e2-address-realm
                    symmetric-latching            disabled
                    pai-strip                     disabled
                    trunk-context
                    early-media-allow
                    enforcement-profile
                    additional-prefixes
                    restricted-latching           none
                    restriction-mask              32
                    accounting-enable             enabled
                    user-cac-mode                 none
                    user-cac-bandwidth            0
                    user-cac-sessions             0
                    icmp-detect-multiplier        0
                    icmp-advertisement-interval   0
                    icmp-target-ip
                    monthly-minutes               0
                    net-management-control        disabled
                    delay-media-update            disabled
                    refer-call-transfer           disabled
                    refer-notify-provisional      none
                    dyn-refer-term                disabled
                    codec-policy
                    codec-manip-in-realm          disabled
                    constraint-name
                    call-recording-server-id
                    xnq-state                     xnq-unknown
                    hairpin-id                    0
                    stun-enable                   disabled
                    stun-server-ip                0.0.0.0
                    stun-server-port              3478
                    stun-changed-ip               0.0.0.0
                    stun-changed-port             3479
                    match-media-profiles
                    qos-constraint
                    sip-profile
                    sip-isup-profile
                    block-rtcp                    disabled
                    hide-egress-media-update      disabled
                    tcp-media-profile
                    subscription-id-type          END_USER_NONE

3. Media configuration

The SBC should be configured to bypass media traffic between the SBC and ClearIP. Call audio should not be sent to ClearIP.

4. Outbound call scenarios

After an outbound call has been processed by ClearIP, ClearIP responds in one of three ways:

  1. No fraud detected
  2. Fraud detected
  3. Diverted

These call flows are described below.

No fraud detected

No fraud detected
  1. The CFS sends a call to the SBC core realm (a)
  2. The SBC forwards the call to ClearIP (b, c)
  3. ClearIP returns a SIP 404 if no fraud detected and no Identity header returned. If STIR/SHAKEN authentication is requested, ClearIP returns an Identity header in a SIP 302 (d).
  4. If the Identity header is returned, then the SBC should copy the Identity header into the outgoing SIP Invite using the embedded header apporach described in Oracle Acme Packet SBC configuration for STIR/SHAKEN with ClearIP.
  5. SBC tries to forward the call to the Destination, the original target device (e)

Fraud detected

Fraud detected
  1. The CFS sends a call to the SBC core realm (a)
  2. The SBC forwards the call to ClearIP (b, c)
  3. ClearIP returns a SIP 603 (d)
  4. The SBC drops the call (e, f)

Diverted

Diverted
  1. The CFS sends a call to the SBC core realm (a)
  2. The SBC forwards the call to ClearIP (b, c)
  3. ClearIP returns a SIP 302 with the destination of the diversion device (d)
  4. SBC tries to forward the call to the diversion device (e)

5. SBC configuration

This section provides details on the SBC configuration settings for operation with ClearIP for outbound call scenarios.

High-level description

  1. The basic idea is to insert ClearIP into the normal configuration.
  2. The SBC should be configured to perform hunting (route advance) if ClearIP returns a SIP 404. The call routing policy rule for this part should be:
    1. Try ClearIP first
    2. Try other destinations
  3. By default, the SBC will perform hunting when it receives SIP 404 messages.
  4. The SBC should drop the call if ClearIP returns a SIP 603. This is the default behavior of the SBC, so no configuration should be needed.

The session agent for ClearIP should be configured to handle SIP redirect messages.

Instructions

A. Configure the AccessRealm SIP interface to use TCP

Important configuration items:

1.transport-protocolTCP
2.trans-expire5

ClearIP only supports TCP and TLS, so the SIP interface must be configured to support TCP. Trans-expire should be configured to allow the SBC to quickly fail a call attempt. This is useful if ClearIP is unavailable and the SBC timeout for establishing TCP connection is long.

  • Sample SIP interface configuration
    sip-interface
                    state                         enabled
                    realm-id                      AccessRealm
                    description
                    sip-port
                        address                   YOUR_PUBLIC_IP_HERE
                        port                      5060
                        transport-protocol        TCP
                        tls-profile
                        multi-home-addrs
                        allow-anonymous           all
                        ims-aka-profile
                    carriers
                    trans-expire                  5
                    initial-inv-trans-expire      0
                    invite-expire                 0
                    max-redirect-contacts         0
                    proxy-mode
                    redirect-action
                    contact-mode                  none
                    nat-traversal                 none
                    nat-interval                  30
                    tcp-nat-interval              90
                    registration-caching          disabled
                    min-reg-expire                300
                    registration-interval         3600
                    route-to-registrar            disabled
                    secured-network               disabled
                    teluri-scheme                 disabled
                    uri-fqdn-domain
                    trust-mode                    all
                    max-nat-interval              3600
                    nat-int-increment             10
                    nat-test-increment            30
                    sip-dynamic-hnt               disabled
                    stop-recurse                  401,407
                    port-map-start                0
                    port-map-end                  0
                    in-manipulationid
                    out-manipulationid
                    manipulation-string
                    manipulation-pattern
                    sip-ims-feature               disabled
                    subscribe-reg-event           disabled
                    operator-identifier
                    anonymous-priority            none
                    max-incoming-conns            0
                    per-src-ip-max-incoming-conns 0
                    inactive-conn-timeout         0
                    untrusted-conn-timeout        0
                    network-id
                    ext-policy-server
                    default-location-string
                    charging-vector-mode          pass
                    charging-function-address-mode pass
                    ccf-address
                    ecf-address
                    term-tgrp-mode none
                    implicit-service-route        disabled
                    rfc2833-payload               101
                    rfc2833-mode                  transparent
                    constraint-name
                    response-map
                    local-response-map
                    ims-aka-feature               disabled
                    enforcement-profile
                    route-unauthorized-calls
                    tcp-keepalive none
                    add-sdp-invite disabled
                    add-sdp-profiles
                    sip-profile
                    sip-isup-profile
                    tcp-conn-dereg                0
                    register-keep-alive           none
                    kpml-interworking             disabled
                    tunnel-name
                    msrp-delay-egress-bye         disabled
                    send-380-response
                    session-timer-profile

B. Configure ClearIP (sip.clearip.com) as a session agent

Important configuration items:

1.hostnamesip.clearip.com
2.port5060
3.transport-methodDynamicTCP
4.redirect-actionRecurse
5.ping-methodOPTIONS
6.ping-interval10
7.ping-send-modekeep-alive
8.ping-all-addressesenabled

ClearIP’s FQDN (Fully Qualified Domain Name), port, and transport protocol must be configured. The redirect action must be configured as recurse to allow the SBC to handle SIP redirect messages directly. Ping options should be configured to allow the SBC to detect ClearIP status instead of waiting for a TCP connection issue timeout.

  • Sample session agent configuration
    session-agent
                    hostname                      sip.clearip.com
                    ip-address
                    port                          5060
                    state                         enabled
                    app-protocol                  SIP
                    app-type
                    transport-method              DynamicTCP
                    realm-id                      AccessRealm
                    egress-realm-id
                    description
                    carriers
                    allow-next-hop-lp             enabled
                    constraints                   disabled
                    max-sessions                  0
                    max-inbound-sessions          0
                    max-outbound-sessions         0
                    max-burst-rate                0
                    max-inbound-burst-rate        0
                    max-outbound-burst-rate       0
                    max-sustain-rate              0
                    max-inbound-sustain-rate      0
                    max-outbound-sustain-rate     0
                    min-seizures                  5
                    min-asr                       0
                    time-to-resume                0
                    ttr-no-response               0
                    in-service-period             0
                    burst-rate-window             0
                    sustain-rate-window           0
                    req-uri-carrier-mode          None
                    proxy-mode
                    redirect-action               Recurse
                    loose-routing                 enabled
                    send-media-session            enabled
                    response-map
                    ping-method                   OPTIONS
                    ping-interval                 10
                    ping-send-mode                keep-alive
                    ping-all-addresses            enabled
                    ping-in-service-response-codes
                    out-service-response-codes
                    load-balance-dns-query        hunt
                    media-profiles
                    in-translationid
                    out-translationid
                    trust-me                      disabled
                    request-uri-headers
                    stop-recurse
                    local-response-map
                    ping-to-user-part
                    ping-from-user-part
                    li-trust-me                   disabled
                    in-manipulationid
                    out-manipulationid
                    manipulation-string
                    manipulation-pattern
                    p-asserted-id
                    trunk-group
                    max-register-sustain-rate     0
                    early-media-allow
                    invalidate-registrations      disabled
                    rfc2833-mode                  none
                    rfc2833-payload               0
                    codec-policy
                    enforcement-profile
                    refer-call-transfer           disabled
                    refer-notify-provisional      none
                    reuse-connections             NONE
                    tcp-keepalive                 none
                    tcp-reconn-interval           0
                    max-register-burst-rate       0
                    register-burst-window         0
                    sip-profile
                    sip-isup-profile
                    kpml-interworking             inherit
                

Important notes:

  1. Using TLS instead of TCP is optional. If TLS is desired, then the port should be set to 5061.
  2. Do not configure the sip.clearip.com session agent with a static IP address. The IP addresses for ClearIP will change for load balancing and maintenance. Using a static IP address for ClearIP will cause a service interruption. Use hostname sip.clearip.com instead.
  3. ClearIP does not respond to UDP or ICMP (ping) messages.

C. Configure the destination (dest.carrier.com) session agent as the original target device

  • Sample destination session agent configuration
    session-agent
                    hostname                      dest.carrier.com
                    ip-address                    192.168.1.19
                    port                          5060
                    state                         enabled
                    app-protocol                  SIP
                    app-type
                    transport-method              UDP
                    realm-id                      AccessRealm
                    egress-realm-id
                    description
                    carriers
                    allow-next-hop-lp             enabled
                    constraints                   disabled
                    max-sessions                  0
                    max-inbound-sessions          0
                    max-outbound-sessions         0
                    max-burst-rate                0
                    max-inbound-burst-rate        0
                    max-outbound-burst-rate       0
                    max-sustain-rate              0
                    max-inbound-sustain-rate      0
                    max-outbound-sustain-rate     0
                    min-seizures                  5
                    min-asr                       0
                    time-to-resume                0
                    ttr-no-response               0
                    in-service-period             0
                    burst-rate-window             0
                    sustain-rate-window           0
                    req-uri-carrier-mode          None
                    proxy-mode
                    redirect-action
                    loose-routing                 enabled
                    send-media-session            enabled
                    response-map
                    ping-method
                    ping-interval                 0
                    ping-send-mode                keep-alive
                    ping-all-addresses            disabled
                    ping-in-service-response-codes
                    out-service-response-codes
                    load-balance-dns-query        hunt
                    media-profiles
                    in-translationid
                    out-translationid
                    trust-me                      disabled
                    request-uri-headers
                    stop-recurse
                    local-response-map
                    ping-to-user-part
                    ping-from-user-part
                    li-trust-me                   disabled
                    in-manipulationid
                    out-manipulationid
                    manipulation-string
                    manipulation-pattern
                    p-asserted-id
                    trunk-group
                    max-register-sustain-rate     0
                    early-media-allow
                    invalidate-registrations      disabled
                    rfc2833-mode                  none
                    rfc2833-payload               0
                    codec-policy
                    enforcement-profile
                    refer-call-transfer           disabled
                    refer-notify-provisional      none
                    reuse-connections             NONE
                    tcp-keepalive                 none
                    tcp-reconn-interval           0
                    max-register-burst-rate       0
                    register-burst-window         0
                    sip-profile
                    sip-isup-profile
                    kpml-interworking inherit

D. Set the ClearIP session agent as the first enabled destination in the existing local policy

  • Sample local policy configuration
    local-policy
                    from-address
                                                  *
                    to-address
                                                  *
                    source-realm
                                                  CoreRealm
                    description
                    activate-time N/A
                    deactivate-time N/A
                    state enabled
                    policy-priority none
                    policy-attribute
                    next-hop sip.clearip.com
                    realm AccessRealm
                    action none
                    terminate-recursion disabled
                    carrier
                    start-time 0000
                    end-time 2400
                    days-of-week U-S
                    cost 0
                    app-protocol
                    state enabled
                    methods
                    media-profiles
                    lookup single
                    next-key
                    eloc-str-lkup disabled
                    eloc-str-match
                    policy-attribute
                    next-hop dest.carrier.com
                    realm AccessRealm
                    action none
                    terminate-recursion disabled
                    carrier
                    start-time 0000
                    end-time 2400
                    days-of-week U-S
                    cost 0
                    app-protocol
                    state enabled
                    methods
                    media-profiles
                    lookup single
                    next-key
                    eloc-str-lkup disabled
                    eloc-str-match
                

6. Sending SIP INVITEs to ClearIP

If the above configurations have been implemented successfully, then the SBC should be able to send a SIP INVITE to ClearIP.

The following is an example SIP INVITE message with the minimum number of SIP headers required by ClearIP. ClearIP will accept a SIP INVITE in any format, with no limit on additional headers and the SDP (Session Description Protocol) information.

INVITE sip:18001234567@sip.clearip.com:5060 SIP/2.0
            Via: SIP/2.0/TCP sip.clearip.com:5060
            From: <sip:14045266060@5.6.7.8:5060>;tag=123456789
            To: sip:18001234567@1.2.3.4:5060
            Call-ID: 1-12345@5.6.7.8
            CSeq: 1 INVITE
            Max-Forwards: 70
            Content-Length: 0
            

ClearIP should respond to the SIP Invite with a SIP 403 Forbidden until the SBC’s IP address has been defined in the ClearIP user interface. After the SBC’s IP address has been added to ClearIP, then ClearIP can respond to the SIP INVITE with a SIP 404, SIP 603, or SIP 302.

Appendix

CFS local routing policies

This documentation mentions Call Feature Server local routing policies in previous sections but does not show them explicitly in any of the above SBC configurations. Call Feature Server local routing policies play a very important role in the SBC outbound call scenario configuration. This section discusses the CFS local routing policies and how they influence the SBC configuration.

In outbound call scenarios, the Call Feature Server performs routing look up tasks. It sends SIP INVITE messages containing the routing information of the destinations to the SBC. Normally, there are three ways to do it:

  1. Send SIP INVITE messages to different SBC core network interfaces for different carriers/destinations.
  2. Send SIP INVITE messages to a single SBC core network interface. The SIP INVITE messages contain the routing information of the destinations, such as trunk group ID.
  3. Send SIP INVITE messages to the SBC working as an outbound proxy. The SIP INVITE messages directly contain the IP/FQDN of the destinations in the Request-URI.

The first routing approach is the simplest one. The routing logic on the SBC is clear and easy to implement. This documentation uses this approach. One thing that was not mentioned in previous sections is that for this approach, multiple core realms/sub-realms should be configured. Each core realm/sub-realm maps to one set of carriers/destinations. When the CFS sends a SIP INVITE to a certain SBC core realm, the SBC local policy forwards it to a certain set of destinations.

The second routing approach is also commonly used although it is a bit more complicated. The SBC must be configured to route the calls based on additional parameters such as the trunk group ID. The SBC has internal mechanisms to route calls based on the trunk group ID, which is not discussed in this documentation. If more general parameters are used for routing purpose, the SBC configuration will be more complicated.

The third approach is only supported by some call feature servers. It is also difficult for the SBC to insert ClearIP into its local policies. This documentation does not provide any details about this approach.

Oracle Acme Packet SBC configuration for ClearIP outbound scenarios