Cato Networks is a certified connectivity partner of RingCentral, a leading provider of unified communications as a service (UCaaS). RingCentral has performed extensive testing that demonstrates Cato’s ability to provide excellent call quality even during poor network conditions with up to 15% packet loss. You can read more about the partnership and how Cato delivers on quality in the press release and the Cato Blog.
If you’re a current or prospective RingCentral customer, this article will guide you through the Cato configuration necessary to get the best performance out of your RingCentral product.
High Level Overview
- Verify that SIP ALG is disabled for the account or specific sites.
- Verify that the security policies do not block RingCentral traffic.
- Configuring the BW Management to give the correct priority for RingCentral traffic.
- Configure a network rule for RingCentral traffic.
Disabling SIP ALG
From September 2019, SIP ALG is disabled by default on new accounts. If necessary, disable SIP ALG for specific sites or across your entire account.
To disable SIP ALG:
- Go the the Advanced Configuration section for the entire account or the site:
- For the account: Configuration > Global Settings > Advanced Configuration
- For the site: Configuration > Sites > <site name> > Advanced Configuration
- Click the SIP ALG toggle to enable the Advanced Configuration settings for this feature. (The toggle is green when enabled).
- Select OFF.
- Click Save.
SIP ALG is disabled for the account or site.
Verifying the Security Policies
Configuring the Internet Firewall
By default, the Internet Firewall will not block any RingCentral traffic. However, if you have created a more restrictive Internet Firewall policy, you may need to create an exception to allow RingCentral traffic.
To configure an Internet firewall exception for RingCentral:
- In the Cato Management Application, go to Security > Internet Firewall.
- In the Exceptions (Allow Applications) section, click
.
- Click Add Description to add a name to the policy.
- In the From section, click
and select
in the lower right corner of the popup window.
- In the To section, click
, click the Applications tab, and then select RingCentral.
- In the popup window, click OK.
- Click Save.
When you are finished, the policy looks like the screenshot below:
Configuring the URL Filtering Policy
Like the Internet Firewall, the default URL Filtering policy will not block traffic to any RingCentral domains. However, if you have configured a more restrictive policy, such as blocking all URL categories and allowing only certain domains, you will need to create a Custom Category to prevent specific RingCentral domains from being blocked.
Different domains need to be allowed depending on the RingCentral product you’re using, so please refer to RingCentral’s documentation for a list of the required domains.
To configure a Custom Category for RingCentral:
- From the navigation pane, click Security > URL Filtering.
- In the Custom Categories section, click
.
- Click Add Name to add a name to the policy.
- In the From section, click
and select
box in the lower right corner of the popup window.
- In the URLs & Categories section, click the
button.
- Domains listed in the format *.domain.com in RingCentral’s documentation should be added to the TLDs section in the domain.com format.
- Other domains without a wildcard should added to the FQDNs section. Refer to the screenshots below.
Note: In order to save time, you can add the ringcentral.com domain to the TLDs section instead of adding the individual RingCentral subdomains to the FQDN section.
- In the popup window, click OK.
- Click Save.
Configuring Bandwidth (BW) Management
RingCentral should be assigned the lowest BW Management priority to ensure optimal voice quality even during link congestion. By default, all voice and video traffic over the Internet is assigned the lowest predefined priority, P10, by the “Internet Voice & Video - Predefined” policy under Networking > Network Rules in the Cato Management Application. Therefore, without any rule modification, RingCentral traffic will be given the same precedence as other voice traffic.
If you’d like to prioritize RingCentral traffic over all other voice traffic, create a lower priority under Networking > Bandwidth Management. You’ll use this priority when setting up a Network Rule in the next step.
To configure a BW Management Priority for RingCentral:
- From the navigation pane, go to Networking > BW Management.
- Click
in the top right corner.
- Define the priority. Any number less than 10 is given precedence over the predefined P10 priority.
- Click OK.
- Click Save.
Configuring a Network Rule
Create a network rule for RingCentral traffic to assign a custom BW priority, set the NAT IP, and enable Packet Loss Mitigation. The NAT IP address is also the egress IP address for a specific Cato PoP. We recommend that you select the Cato PoP that is physically closest to a RingCentral PoP, and lets you takes advantage of the RingCentral tier 1 backbone.
Setting the NAT IP in the network rule ensures that both SIP (used for call setup) and RTP streams (voice data) share the same NAT IP. Phone calls will not work if the RTP stream uses a different NAT IP than the SIP stream.
Enabling Packet Loss Mitigation will prevent call quality from degrading with up to 15% packet loss on the WAN link.
Prerequisites
You will need at least one allocated IP to complete the configuration for the network rule. If you do not have any allocated IPs, you can create one under Configuration > Global Settings > IP Allocation in the Cato Management Application. See this article for more information.
To configure a network rule:
- Go to Networking > Network Rules in the Cato Management Application.
- Click the
button on the right side of the first network rule and select Add Internet Rule Above.
Network rules are executed in a top-down order, so this will make sure that RingCentral traffic is assigned to the correct policy. - Enter the Name for this rule.
- Click
in the What column, and in the Applications section, and select the Ring Central application.
- Click OK to close the Services window.
- Click
in the From column and select Any in the lower left corner of the popup window.
This will force all RingCentral traffic from every site and VPN user to hit this network rule. Alternatively, you can select specific sites, networks, hosts, or VPN users here. - Click OK to close the Add Items window.
- Click
to expand the section. Select the custom BW priority you created earlier or the default P10.
- Click
to expand the section and select NAT in the Route/NAT drop-down menu.
- Click the
button and select a single or multiple egress IPs.
Note: We recommend that you select the Cato PoP that is physically closest to a RingCentral PoP.
In the case of multiple egress IPs, the one closest to the PoP that the site or VPN user is connected to will be used for NAT.Optional: If you have multiple WAN interfaces, you can set the primary and secondary NICs. You can also set the secondary transport if you have one.
- Click Accelerations & Optimizations to expand the section and then select Packet Loss Mitigation.
- Click Save.
Finding Cato and RingCentral PoPs
To help you select the best Cato PoP to egress traffic in the Internet network rule, the following map shows the physical locations of the Cato and RingCentral PoPs.
This is a list of the RingCentral PoPs:
PoP ID |
Company |
Location |
AM5 |
Equinix |
Amsterdam |
AT2 |
Equinix |
Atlanta, GA |
CH2 |
Equinix |
Chicago, IL |
DA3 |
Equinix |
Dallas, TX |
DC2 |
Equinix |
Ashburn, VA |
DC7 |
Equinix |
Vienna, VA |
MIA |
Terremark/NovaTel |
Miami, FL |
NY8 |
Equinix |
New York, NY |
|
One Wilshire/Sirius/NovaTel |
Los Angeles, CA |
RJ2 |
Equinix |
Brazil |
SE2 |
Equinix |
Seattle, WA |
SG3 |
Equinix |
Singapore |
SV5 |
Equinix |
San Jose, CA |
SY2 |
Equinix |
Sydney, AU |
THOE |
Telehouse |
London, UK |
TK5 |
NTT |
Tokyo |
ZH4 |
Equinix |
Switzerland |
2 comments
Hello Chris,
The configuration of the smaller group overrides the larger group.
For more about DHCP, see https://support.catonetworks.com/hc/en-us/articles/360006091117-Best-Practices-for-DHCP .
For more about DNS, see https://support.catonetworks.com/hc/en-us/articles/360006091097-Best-Practices-for-DNS .
Once group level DHCP/DNS/SUFFIX is created and member is assigned(socket site), would i need to do anything on the socket level to ensure that particular socket when DHCP is being lease out the options are included? Or creating the group level is sufficient and all will take effect once i assigned the required DHCP range at the socket level
Please sign in to leave a comment.