Sangoma NetBorder/Vega Session Controller http://wiki.sangoma.com/NetBorder-Session-Controller ------------------------------------------------------------------------------------------------------------- 2017-12-14: NSC 2.2.14-57-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Added handling of native codec recording to oreka module == BUG FIXES == * Fixed issue CVE-2017-17430: Web ui security vulnerability issues that could be exploited to execute system command remotely through the web interface. * Fixed issue with intrusion detection logs not being rotated * Fixed lost audio issue after resuming from hold when using g726 codec * Fixed T38 negotiation issue when the first T38 re-invite comes with IP 0.0.0.0 or port 0 * Fixed issue with Update widget on top bar still saying current version wrong after update ------------------------------------------------------------------------------------------------------------- 2017-02-01: NSC 2.2.13-55-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Added mod_expr as a built-in module. This would allow dial-plan to perform basic math operations such as random number generation * Change ceiling for number of domains per profile from 25 to 200 * Enabling/Disabling SIP relay no longer requires a restart * Performing NAPTR lookup when resolving gateway host is now supported * Web config logs are now rotated via system logrotate * OpenSSL library updated to latest release == BUG FIXES == * Fixed IPV6 related issue disallowing T.38 passthrough to work properly for the DSP module * Introduced preregister event to be sent to SIP security monitoring service for register requests without authentication * Fixed wrong parsing of host address in the SIP library resulting to packet capture messages getting sent to the wrong port * Fixed invalid pointer access when reporting ESL missed events * Fixed premature processing of re-Invites when setting up a T.38 call * Fixed issue where SBC can choose the wrong crypto attribute when multiple SRTP crypto tokens are present in the offer * Fixed gateway dialplan not identified if trunk registration is enabled * Corrected wrong SQL syntax when recreating subscription table * Fixed wrong registrar assignment for registration refresh when multiple registrar shares an FQDN * Fixed broken nsc/dsp/capacity script resulting to "Operations Not Permitted" error when invoked * Fixed webui to gracefully handle large CDR files when creating support backup * Fixed webui wrongfully notifiying that an update is available after an upgrade ------------------------------------------------------------------------------------------------------------- 2017-01-11: NSC 2.2.12-54-GA ------------------------------------------------------------------------------------------------------------- == BUG FIXES == * Fix service failure caused by mod_event_socket referencing an invalid address when reporting missed events ------------------------------------------------------------------------------------------------------------- 2016-10-05: NSC 2.2.11-53-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Introduced new sip profile configuration parameter enable-3pcc-relay-alerting allowing to forward 18X sip provisionnal responses in 3PCC scenarios. * Added support of pkcs12 and p7b TLS certificate file format uploading from the web ui. * Added ability to forward hold/unhold reinvites when not in upreg mode. This features can be activated by sip_reinvite_passthru channel variable. == BUG FIXES == * Fix wrong RTCP statistics reported by the hardware DSP when huge timestamp gap occurs. * Fixed service failure when using H323 signaling caused by race condition within the H323 stack library. * Fixed sip trunks configuration loading issue when several trunks using the same sip profile have the same realm. Introduced new configuration paramater allow-port-in-gateway-identity to enable this per sip trunk. * Fixed rejected Notify issue in upreg scenario caused by wrong sip to header sent to remote. * Fixed issue with sip ACK getting sent to wrong address when DNS round robbin is being used. * Fixed web ui advanced logs displaying issue. * Fixed web ui routing display issue when there are more than 100 call routes configured. * Fixed web ui license page display issue with licensing information displayed two times. ------------------------------------------------------------------------------------------------------------- 2016-08-23: NSC 2.2.10-52-GA ------------------------------------------------------------------------------------------------------------- == BUG FIXES == * Fixed sip signaling issue caused by race condition between a CANCEL beeing sent by the SBC and the INVITE 200 OK being received at the same time. * Fixed web ui broken network configuration pages issues introduced by Advanced logs dislplay enhancement from version 2.2.9-50 ------------------------------------------------------------------------------------------------------------- 2016-08-19: NSC 2.2.9-50-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Made IAX endpoint creation configurable for H323 profiles * Added interoperability parameter to workaround microsoft lync issue where lync tries to play MOH while endpoint was put onhold with inactive streams. Added new channel variable parameter named media_audio_mode_inactive_to_recvonly. If that channel variable is set to "true", received inactive media m lines will be considered as sendonly, thus SBC will be in recvonly mode. * Added a new channel variable to control refer To headers mangling in upper registration scenarios on a per call basis. That channel variable is named sip_refer_to_mangled_user and possible values are true (always mangle all refer To headers), false (Never mangle refer To headers), blind-only (mangle refer To headers for bling transfer only), attended-only (mangle refer To headers for attended transfer only). * Added new channel variable allowing to reuse the same call-id for second invite resulting from a 302 redirect received by the SBC. That channel variable name is sip_redirect_call_id and when set to true, the invite resulting from a 302 redirect will have the same sip call-id as the initial invite. * Added an update checker to the webui. That update checker would check from available for updates from Sangoma once a day if the SBC has internet access. If any update is found, web ui will advertise user of the update availability and will let user download it and install it if he chooses too. * Updated php version from 5.5.9 to 5.5.37 == BUG FIXES == * Fixed service failure caused by memory corruption in H323 stack library. * Fixed memory leak caused by leaked tcp connection tport objects when a tcp connect fails because of invalid remote peer. * Fixed service failure in upper registration scenarios when re-invite is received from the PBX side. * Fixed issue with wrong session timers refresh setting when re-invite is received from the outbound leg. * Fixed service failure issue in upper registration scenarios when forwarded subscribe is not answered by the PBX side. * Fixed service failure issue in upper registration caused by race condition between registration refresh from a phone and invite from the PBX towards that same phone. * Fixed service failure in upper registration when received invite does not contain any user part. * Fixed one way audio issue in upper registration scenarios when PBX sends re-invite immediately after sending the 200 OK to connect the call. * Fixed cancel handling race condition preventing the SBC to send a cancel when the cancel is issued at the same time the B leg answers the call. * Fixed sip security monitor failure when received event does not contain all the expected headers. * Fixed web ui advanced logs displaying issue. * Fixed issue with cdr rotator failure when disk is full. ------------------------------------------------------------------------------------------------------------- 2016-06-03: NSC 2.2.8-49-GA ------------------------------------------------------------------------------------------------------------- == BUG FIXES == * Fixed memory leak issue when forwarding sip request in upper registration scenarios. * Fixed uncleared automatic DNS issue when changing ip assignment from dhcp to static. * Fixed wrong default transport in sip profile issue when received request url and contact do not contain any transport parameter. * Fixed issue with network validation acl list not being synchronized on sip profile restart. * Improved recover resiliency when disk has leftover RAID partition data in the same place where new partitions are created by deactivating any RAID detected by the kernel during the recovery process. * Fixed firewall panic mode issue caused when rule name is too long. * Fixed web ui issue with factory reset not deleting created users. * Fixed web ui issue with ipv6 gateway validation not allowing ink-local address. * Fixed web ui issue not properly setting ssh public key. * Fixed web ui issue not accepting some special characters in sip trunks password field. ------------------------------------------------------------------------------------------------------------- 2016-05-06: NSC 2.2.7-47-GA ------------------------------------------------------------------------------------------------------------- == BUG FIXES == * Fixed service faillure issue when sip profile max request uri length is set and an request without user part in the request uri is received. * Fixed service faillure issue in upper registration upon reception of SIP OPTIONS message not containing any user part in From header. * Fixed memory corruptions in upper registration caused by race conditions during message handling and that can lead to service faillures. * Fixed memory leaks in upper registration during expired authentication chanllege cleanup. * Fixed web ui issue failling to properly generate ip firewall rules when ip whitelist is used on open ports. ------------------------------------------------------------------------------------------------------------- 2016-04-08: NSC 2.2.6-41-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Allowing all SUBSCRIBE events to pass through when upper registration mode is used. * Added upper registration resiliency support. This refers to teh ability to routing call directly to upper registered phone when the registrar PBX is down. * Added ZRTP support when host media processing is used (software mode). * Added support for PUBLISH and OPTIONS pass through in upper registration scenarios. * Added option to allow forwarding REFER-To and REFERED-By headers in upper registration scenarios. * Added configuration options to allow modifying h245tunneling and bearer capability for H323. * Added SIP Trunk support for Network ACL validation. * Removed the requirement of sip trunk CAC "Max Sessions" for sip trunk routing plan to take effect. * Integrated new IGB network driver for Lanner 8771 appliances. * Updated TDM Gateway package to 5.2.0 113 version. See Changelog here: ftp://ftp.sangoma.com/nsg/5.2/Changelog/NSG-5.2-113-changelog-wiki.txt == BUG FIXES == * Fixed No Audio issues when RTP auto adjust mode was being used with DSPs. * Fixed non applied RTP TOS value in RTP packets when host media processing is used (software mode). * Fixed audio quality issues for SIP to H323 calls. * Fixed wrong RTP port range setting issue when host media processing is used (software mode). * Fixed service failure issue caused by some race conditions during upper registration expiration. * Fixed TLS memory leak issues. * Fixed TLS connection dropping issue caused by secondary connection tear down. * Fixed network audit points behaviour when interfaces were not configured or not present on system. * Fixed web ui issue with configuration backup restore overriding license file even if skip license is checked. * Fixed web ui issue preventing from downloading support backup when pcap capture folder size is big. * Fixed web ui issue reporting incorrect session capacity usage. * Fixed web ui issue with DHCP settings not properly applied during upgrade. * Fixed web ui issue not automatically redetecting media interfaces after configuration restore. * Fixed web ui issue with configuration backup restore going into infinite loop. ------------------------------------------------------------------------------------------------------------- 2016-01-20: NSC 2.2.5-38-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Allow asymmetric rfc2833 payload type when using DSP media stack. * Added new dialplan application sip_dns_resolve allowing to make DNS SRV queries from dialplan. Useful for authenticating calls from sip trunks configured with FQDN * Changed pcap captures naming file convention to keep the .pcap extension. * Allow user to configure the max capture size. * Added web ui notification during firmware update. * Updated TDM Gateway package to 5.2.0 110 version. * Integrated new network IGB driver for Lanner 8771. * Allow sip stack timers configuration from sip profile configuration page. * Improved security by automatically enabling ip address authentication on in sip profiles if any upper registration domain was binded to that sip profile. == BUG FIXES == * Fixed ARP response issue when using multiple IPs on the same subnet on different interfaces. * Fixed issue on existing domain parameters change from web ui not applied when reloading configuration. * Fixed issue with SIP Firewall rules not working on REGISTER without authorization header. * Fixed memory corruption issues in upper registration scenarios. * Fixed memory leak issues in upper registration scenarios. * Fixed service failure issue in upper registration when call gets rejected by outbound leg. * Fixed race condition issue preventing outbound leg from being cleared when it offers unsupported codec after early media. * Fixed issue with IP firewall blocking internal DSP ping status ICMP requests. * Fixed web ui critical media firewall error notification caused by unhandled exception. * Fixed web ui upgrade issue when TDM cards are being used. * Fixed web ui factory reset issue causing to totally loose network configuration. * Fixed webconfig service failure after upgrade. * Fixed issue with configuration backup overwriting network/license settings. * Fixed issue with wrong default gateway after deleting the gateway IP interface. * Fixed issue where deleting a vlan interface doesn't remove its configuration file. * Fixed issue with gso not disabled for DSPs interfaces. * Fixed web ui configuration restore issue with VLANs not properly restored. * Fixed RTP ports overlapping issue when DSPs are being used in parallel with host media processing. * Fixed issue with non-terminated sessions when http CDRs are being used and the http CDR upload blocks on remote end. * Fixed issue with sip firewall not able to block friendly scanner REGISTER that do not contain authorization header. * Fixed web ui issue with CDR downloading caused by zip library taking all available memory. ------------------------------------------------------------------------------------------------------------- 2015-11-20: NSC 2.2.4-35-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Unsolicited NOTIFY and MESSAGE forwarding from dialplan The SBC can now forward received unsolicitted (out of call) SIP NOTIFY and SIP MESSAGE. User can configure a forward/relay dialplan context for a profile and implement a dialplan logic in order to properly forward those sip messages when received on a sip profile. As of current version, only SIP NOTIFY and SIP MESSAGE can be forwarded. * Upper registration round-robbin load balancing User can now configure several registrar servers when enabling forward registration on a domain. The SBC will use a round-robbin load balancing algorithm to forward the received registrations requests to the configured registrar server list. When a registrar server is reported as down, it will not be considered by the load balancing algorithm when trying to assign a registrar server to a new registration request. * IP whitelist allowed for each opened service port through the IP firewall if address field is present on an "opened port" entry, SBC will allow access to that opened port to only the ip address/mask present in this field. and block all other ips. If no address is specified, SBC allows connection from any host. * mod_oreka now distributed with SBC modules. User can now manually configure mod_oreka in order to use it with his SBC. * Improved Support Backup to include iptables output and DSP mode. * Improved DSPs performances by adding a new DSP operation mode when more than one sngdspX interafce is present. * Now exposing 'autoneg' and 'duplex' configuration settings for non DSP interfaces. == UPGRADE NOTES == * registrar server, registrar port and register transport configuration fields, for a domain with forward registration enabled, have been deprecated. To specify a registrar to forward the domain registrations to, user must now create a sip trunk towards that registration server and attach that sip trunk to the registrar gateways list of the domain. The upgrade process will automatically adjust existing configuration to match this new requirement. == BUG FIXES == * Fixed memory leak issue in freeradius-client library. Upgraded freeradius libary to 1.1.7 to fix the memory leak. * Fixed wrong memory management issue when using session log dumping feature. * Fixed unresponsive service issue in upper registration caused by a race condition when stopping profile while cleaning existing expired registrations. * Fixed upper registration issue where thru registartion context is lost when restarting teh SBC or reloading teh profile configuration. * Fixed potential memory corruption in upper registration scenarios. * Fixed upper registration invalid CSeq numbers issue. * Fixed upper registration issue where accept header is misssing from forwarded SUBSCRIBE and NOTIFY * Fixed SIP firewall service failure because of inactive connection. * Fixed web ui issue forcing basic dialplan export action to always skip setting the channel variable for inbound leg. * Fixed web ui issue with the username/password field and filer vulnerable to xss attack. * Fixed web ui issue with PHP version shown in webserver configuration. * Fixed web ui issue restoring a system backup from older 2.1 overwrites my.cnf * Fixed web ui issue factory Reset does not bring SBC back to Static 192.168.168.2 * Fixed web ui issue where after software upgrade, the system is restarted but the cookies where not cleared. * Fixed web ui issue where an interface without any ip assigned fails to come up. * Fixed issue web ui permits a user to set a default gw not in any local subnet. * Fixed web ui issue where sip trunk did not allow '@' symbol in username and auth-username fields. * Fixed web ui issue where webpage session cache was not cleared after upgrade causing the web ui to be inaccessible. ------------------------------------------------------------------------------------------------------------- 2015-10-15: NSC 2.2.3-28-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Added sip profile configuration parameter allowing to enable/disable talk/hold events support * Added ability to forward in call NOTIFY messages for non upper registration calls * Upgraded built-in TDM gateway driver version to 7.0.14.31 == BUG FIXES == * Fixed service failure issue caused by race condition when transfer is being performed during call setup. * Fixed issue in upper registration where authentication INVITE for challenge from endpoints was using a different call id. * Fixed issue in upper registration where received challenged header was not properly relayed for REFER requests. * Fixed T.38 negotiation failure when audio media description with port 0 is present from remote T.38 re-invite SDP. * Fixed upper registration issue when re-invite is challenged by PBX or endpoint. * Fixed wrong logging when user part in not present in received contact header. * Fix issue with the built-in TDM gateway not being able to forward media to the SBC when the firewall is started * Fix web ui issue where DSP status reports error if first DSP is deactivated * Fixed web ui issue preventing to delete newly added users after upgrade. * Fixed web ui failure occurring if installation is done when TDM cards are present on the system. * Fixed web ui configuration restore process not to copy mac ethernet mac addresses from different system. * Fixed issue with support backup not containing SBC version. * Fixed web ui issue where vlan static rules where incorrectly applied. ------------------------------------------------------------------------------------------------------------- 2015-08-21: NSC 2.2.2-22-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Improved DSP failover reliability to handle better hardware or firmware failures on a DSP * Added ssh key field to the web ui for system users to allow ssh key authentication * Added Auto-restart prompt after a successful upgrade * Show the routing plan for every SIP profile in the main profile listing web page * Add warning if configuring more allowed sessions than licensed == BUG FIXES == * Fixed issue with TCP port-forwarding using an incorrect source address after the packet was forwarded * Fixed sporadic service restart due to a race condition when processing sip events * Update DSP firmware to 02.01.09-B1-PR to address a DSP halting problem * Fixed transcoding failure from G.726 to iLBC * Fixed issue in sngtc_tool command line disrupting existing sbc sessions * Fixed issue with burst of RFC2833 DTMF digits not passing through * Fix memory leak on sessions that timeout due to RTP inactivity * Fix restart on upper registration expiration check * Fix restart due to incorrect SDP parsing * Fix issue with user management after updating from NSC 2.1 releases * Fix issue with the SIP firewall hanging sporadically * Fix PHP fatal error when importing large LCR tables * Fix issue with the built-in TDM gateway not being able to forward media to the SBC when the firewall is started ------------------------------------------------------------------------------------------------------------- 2015-06-15: NSC 2.2.1-18-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * Added peak sessions per second statistics on the 'status' command * Added CSV CDR module (must be manually configured, no web gui support) Make sure you setup a log rotation schedule suitable to your call load and available disk space * Included custom Python and Lua routing support Both modules must be loaded using modules_custom.xml as they are not loaded automatically * Improved the usability of web ui restart page == BUG FIXES == * Fixed issue with some services sometimes not restarting when the main SBC service is started * Fixed issue with upper registration not relaying authentication information for non-challenged REGISTER messages * Fixed issue with the RTCP SDES that could cause invalid RTCP packets to be sent when the software RTP stack is in use * Fixed SDP parsing for G.723.1 when endpoints use 6.3 instead of 6300 in the codec specification * Fixed G.723.1 silence suppression SDP negotiation * Fixed small memory leak in upper registration REGISTER authentication * Fixed web ui breadcrumb displayed menu when rebooting the system * Fixed 'External RTP IP' validation that was still allowing an old invalid field format * Fixed issue introduced in NSC 2.2.0 causing the web ui to not accept valid host:port syntax for the SIP trunk domain field * Fixed some variants of the iLBC and AMR codecs not being available during SDP negotiation * Fixed issue with the sip security monitor not starting when there are pre existing ip objects blocked in the database * Fixed issue with the sip security monitor failing to block ip addresses when the IP firewall is started first * Fixed updates reporting success even in failure situations * Fixed web update dialog closing when pressing escape * Fixed web ui not asking to restart after restoring a configuration ------------------------------------------------------------------------------------------------------------- 2015-06-04: NSC 2.2.0-16-GA ------------------------------------------------------------------------------------------------------------- == FEATURES & IMPROVEMENTS == * IPv6 support The SBC is now fully IPv6-enabled, you can create firewall rules, sip trunks, access control, and all other SBC configurations using IPv6 You can perform interworking (protocol conversion) from IPv4 to IPv6 and vice versa * IP Firewall Improvements The IP firewall functionality has been heavily improved. Automatic firewall rules are created and destroyed when enabling, modifying or disabling services in the SBC such as new SIP profiles and management services like web and ssh Support for port-fowarding has been introduced. You no longer need custom hand-written rules You can now integrate scripts to customize IP firewall behavior * Networking Improvements The networking configuration has been improved and simplified. The DSP configuration is automatically done for 'hidden' hardware mode and it is no longer required to have an IP address assigned for the sngdsp device when working in exposed mode * WebSSH You can now access an SSH console from the web interface Just follow the menu System -> Management -> WebSSH * TDM gateway integration Sangoma TDM gateway software is now available for SS7, PRI, MFCR2 protocols when there is TDM hardware installed * TR-069 protocol support SBC configuration can be managed via TR-069, see the CWMP service under System -> Management -> CWMP * Registration Security Improvements You can now completely block SIP messages from unregistered endpoints * New GUI design The web ui visual aspect and usability has been re-designed, there is a new menu bar at the top with common useful status information == UPGRADE NOTES == * The '-- Same Profile --' option is no longer valid when configuring SIP upper registration You have to select a profile to communicate with the PBX that is exclusively used to communicate with the PBX and not to talk to other user agents (e.g phones) * The IP firewall rules must be reviewed after update. The SBC firewall has received major changes in this release and now RTP, SIP, SSH and all other SBC services automatically create firewall rules when they are enabled; there is no need to manually create the firewall rules for them. This means many of the existing rules might be duplicated after updating from an older release. Be sure to double check your rules after upgrading to this release * There is a current limitation of 8 IP addresses per system This limitation applies to systems with hardware transcoding. If you need more than 8 IP addresses please contact Sangoma for possible work-arounds * Enhanced security mode option in the media firewall was removed This option is now removed as it reduced performance significantly and the DSP discards RTP traffic from unknown sources on its own without requiring help from the host kernel This option is now removed as it reduced performance significantly and the DSP discards RTP traffic from unknown sources on its own without requiring help from the host kernel * SIP and RTP external profile addresses now accept only IPv4 or IPv6 static addresses. The option to accept dynamic adddresses using the autonat:, stun: or host: prefixes has been deprecated and is not acceptable anymore