Posted by David Lover on May 7, 2020 10:00:00 AM
When it comes to planning for a remote and mobile workforce, a lot of companies are entering the second phase of their strategy, in which they are planning for a more permanent solution. The first phase was somewhere along the lines of, “This may not be the best approach, but we just need to get it done.” This included leveraging a lot of free temporary licenses, which typically had 30-90 day expiration dates, so they now need to figure out what’s next. At ConvergeOne, we’ve been having a lot of conversations about permanent solutions with customers. It might be because these customers think the “shelter in place” orders will be getting extended longer than first anticipated, but it might also be because people are seeing firsthand the value of enabling a remote, mobile workforce.
But this is where you have to be careful. A lot of companies’ phase-one plans involved taking advantage of the infrastructure they already had—and rightfully so—but unfortunately, a lot of that infrastructure is old and leverages best practices that existed 10+ years ago. Things are different now. We wouldn’t deploy new remote workers the way we did 10 years ago.
Rather than make those old, temporary licenses permanent, companies should be looking at current approaches. One of the biggest conversations around this topic is about the use and adoption, of SIP. While SIP trunks have clearly become the mainstream approach for most companies, many have not yet migrated from H.323 to SIP for stations, endpoints, and clients. The good news is that for a lot of vendors and customers, the infrastructure needed to support SIP endpoints is the same as what is needed for SIP trunks. Therefore, they may very well have a lot of the required components already.
A bigger question keeps coming up: Why is SIP so much better for remote workers than H.323?
This is actually a conversation that we at ConvergeOne started having about four years ago, but for a lot of people, it’s a new topic. John Waber, one of ConvergeOne’s Senior Technical Instructors in our Center of Excellence, and I put our heads together to do a compare-and-contrast of these two protocols.
Advantages of SIP
Bring Your Own Device
- Avaya has worked hard to get its SIP soft clients to work on more platforms than its H.323 clients. There are versions of the IX Workplace client (formerly known as Equinox Client) that can be loaded on Windows, Mac, Android, and iOS. In contrast, the H.323 (i.e., Avaya Communicator) soft client is supported primarily on Windows, but also on Mac. In other words, the SIP client can run on smartphones and PCs, while the H.323 client is designed to run on PCs. But forget the brand-name part of this: SIP allows for more flexible mobility, as described next.
Allows Greater Mobility
- We rarely drag our laptops around, but most of us keep our smartphone with us at nearly all times. Therefore, the SIP solution embraces greater mobility than an IPsec VPN solution. Mobile apps have to work ALL the time, without having to put thought into it ahead of time. No one will say to themselves, “I think I’m about to receive a call, so I better launch my VPN client.” It just has to be available ALL of the time, and SIP, with a session border controller, is the only way to provide that “always connected” experience inside the enterprise or out.
Multi-Modal and Extensible
- 323 is highly optimized towards voice communication, but as almost an after-thought can provide video. SIP is agnostic about the media, meaning it can support voice, video, chat, and presence equally well.
- SIP’s extensible nature will allow developers to use the same SIP protocol for advanced features and capabilities. For example, the SIP-standard use of Subscribe, Publish, and Notify allows devices to subscribe to vendor-specific features. Another example is the fact that we can embed an account number in the same SIP Invite that launches a call to a contact center agent or agent desktop, and could potentially kill off ancient CTI protocols like TSAPI.
- At any given time, a user can only register one H.323 device. In contrast, with Avaya’s SIP, up to ten devices can be simultaneously logged in with exactly same credentials. When a call comes in, they all ring simultaneously. This allows the user to answer the call on the device that is either most convenient or has the capabilities (e.g., video) needed for the session.
SIP is Not as Proprietary
- 323 (or UNISTIM or SCCP) phones are highly proprietary. They will only work with one phone system. In contrast, SIP phones conform to open standards. That means it is possible to get Cisco, Polycom, or other vendors’ SIP phones to make/receive calls in the Aura system. Technically, they can even be configured to get somefeatures from Communication Manager (through Feature Access Codes, Feature Name Extensions, or SIP User-Agent based Header Manipulation).
SIP is the Future
- SIP is considered to be the common standard that nearly all Unified Communications (UC) vendors are embracing. That means that a SIP environment opens a customer environment to an ever-increasing choice of products.
- Manufacturers are putting their research and development into SIP first. For example, all of Avaya’s current endpoints, such as the J100 series, Vantage, and IX Workplace (formerly known as Equinox), are shipped with SIP-based firmware initially. Only the J100 series can even be converted down to H.323. Vantage and IX Workplace do NOT support H.323 at all.
- SIP is easier to troubleshoot. Most of this is due to the fact that customers lack administrative access to the IPsec VPN infrastructure. That’s usually managed from a group separate from “telecom,” requiring more coordination of effort among the customers’ teams. Session border controllers are managed as part of the UC infrastructure and are generally much easier to gain access to and to troubleshoot. The fit-for-purpose nature of the session border controller also adds to the simplicity of the solution.
- Voice quality is almost always better with SIP than with H.323. Yes, they both can do HD Audio (i.e., G.722 and OPUS), but with remote H.323, their only connectivity is through the IPsec VPN tunnel. The problem that comes up here is that a remote worker’s home router has absolutely no way to identify the traffic inside the IPsec VPN tunnel. It’s “encapsulated,” so their home router has no way to see any QOS tagged packets. Given that most remote workers have limited upload throughput, they really need their home router to see those tags and prioritize appropriately. SIP traffic is encrypted at the source, not just through the tunnel. Their QOS tags remain intact and can be prioritized as needed. Granted, all bets are off once the traffic hits the Internet—but usually voice quality problems stem from user’s home network and their access to the Internet, not necessarily the Internet itself. We generally find that SIP traffic will have much better voice quality than H.323 for these reasons.
Negatives of SIP
More Complex Setup
- A SIP solution requires administering two “communication” systems, namely Session Manager and Communication Manager. Most of the additional complexity is handled seamlessly through a common management interface called System Manager, and the integration steps required are done once. Thereafter, additional SIP phones can be added quickly through the use of CM Templates, SMGR User Provisioning Rules, and User Profiles. It should be noted that a significant portion of the administration of SIP Users was already done when SIP trunks were deployed. Avaya uses a common architecture for ALL of their SIP traffic.
More Equipment to Acquire
- First, supporting SIP endpoints requires the acquisition of one or more Aura Session Managers (ASM). That’s because all SIP endpoints talk directly to only ASM, which in turn routes their request to other SIP Entities such as CM. Setting up Remote Worker requires the addition of Avaya’s Session Border Controller Enterprise (SBCE) for three reasons:
- 1) As a security device that inspects both the SIP and Media traffic
- 2) To perform Network Address Translation at Layer 7 (as opposed to a firewall’s NAT at Layer 4)
- 3) To modify the SIP addresses and SIP headers to make them both easier to route and more compatible with Aura. Again, this is the same infrastructure that was already deployed for SIP trunks.
- While you can use just about any vendor’s session border controller for SIP trunks, you really do need to use Avaya’s SBC-E for remote worker. All session border controllers support the SIP and Media traffic, but only Avaya’s SBCE has relays for transferring the firmware and 46xxsettings files needed by 96xx or J1xx hard phones, and the PPM (Personal Profile Manager) traffic needed by all Avaya endpoints. Avaya’s session border controller can natively support Load Balancing, Dynamic Licensing, Application Relay, and the STUN/TURN services needed for WebRTC. Oh, and Avaya’s session border controllers are virtualizable, and a significant portion of the licenses are included as entitlements with the UC license bundles.
- This isn’t actually a negative of SIP, but it is something that customers need to pay attention to. From the beginning of VoIP, customers used horrible endpoint passwords in order to make it easy for telecom to deploy endpoints on behalf of the end users. While still dangerous from an internal spoofing perspective, remote H.323 endpoint traffic was encapsulated in an IPSec VPN tunnel managed by IT that enforced a strong password policy. With the elimination of the IPsec VPN tunnel, customers need to remember to apply the same rigid password policies of complexity and aging to their endpoints. ConvergeOne’s C1CX PasswordPro, a SaaS-based cloud offer, is a powerful tool for enforcing this compliance while reducing administrator and helpdesk resources.
SIP Phones Lack Feature Parity with H.323 Phones
- When listing the features side-by-side, there are still a few features that H.323 phones have that SIP phones do not. With each release, Avaya narrows that gap, but it will probably not close because there are some features that are so rarely used that they aren’t worth porting into the SIP environment. The other challenge is that some features work differently than before. Some of this stuff isn’t intended to look and feel the same as it did 20 years ago. Some people want it exactly the same, but that just might not be in the roadmap. For example, the Directory feature on an H.323 phone pulls its list from Communication Manager, while SIP pulls it from the Enterprise LDAP Directory.
Negatives of IPsec VPN
Not Necessarily Secure
- IPsec VPNs work by simply encrypting the traffic entering the tunnel and decrypting traffic exiting the tunnel. Traffic often starts and ends in its original unencrypted state. A user may connect an infected PC or laptop running a softphone, which would have a secure connection directly into your LAN. Enterprises need to proactively manage the ENTIRE PC/Laptop to ensure it’s safe. Session border controllers focus more on the application and its traffic, not the device as a whole. Think of a session border controller as more of an application-specific firewall, managing the already-encrypted traffic, and ensuring that the encrypted traffic is as it should be.
- Assuming TLS and SRTP are enabled, with a SIP remote worker device, the communication is born encrypted. In the session border controller, the endpoint traffic is decrypted, inspected, re-encrypted, and proxied on to the SIP Registrar (i.e., Session Manager).
Not as Efficient as a Session Border Controller
- IPsec VPNs tend to be general purpose solutions, with the flexibility to handle all kinds of traffic—but that can also be a negative. Traffic entering an IPsec VPN tunnel will always be encrypted, regardless of whether or not it is already encrypted. Running voice/video that has already been encrypted at the source will get encrypted again as it enters the tunnel. For lower-end computers, this could put an extra burden on the CPU of the remote device.
Please note that this blog post is meant to start the discussion on H.323 vs. SIP—we haven’t covered every possible advantage or disadvantage, and admittedly, we’re both a little biased. John and I both love SIP and would rather deploy SIP over H.323 in almost every scenario. However, keep in mind that there might actually be some scenarios where SIP is not the right answer. This is where ConvergeOne shines at being able to apply the right technology to each customer’s individual use cases and requirements.
NOW YOU CAN BE READY TO ADAPT
Special offers are now available to help you develop your remote worker and mobility strategy!
At ConvergeOne, we don’t shy away from tough challenges. We are prepared to serve as your trusted advisor in ways we may not have before. This includes free solutions that quickly enable you and your teams to stay connected from wherever you are.