Avaya IPO500 - Remote SIP extn - 403 forbidden

[PaulCarter]

I'm having some issues connecting a remote SIP extn (Avaya Communicator) on an IPO500 9.1

I've changed the SIP ports on the IPO to 6050 instead of 5060 and the port forwarding has been done on the customer's firewall and enabled remote SIP extension on the LAN1 VOIP tab. I am trying to connect using port 6050 on Avaya Communicator and have tried both the username and extension number. I have also just tried with X-Lite SIP softphone and get the same issue.

When trying to connect the remote SIP extension I get the following error on monitor:-

09:02:57 465160167mS SIP Rx: TCP 86.135.156.104:53353 -> 192.168.16.63:6050
REGISTER sip:79.121.220.140 SIP/2.0
From: sip:AdamLW@79.121.220.140;tag=1a46e03d58ac0244767e417c_FAdamLW192.168.1.205
To: sip:AdamLW@79.121.220.140
Call-ID: 1_1dd23e3478305191767e407d_R@192.168.1.205
CSeq: 1 REGISTER
Via: SIP/2.0/TCP 192.168.1.205:53353;branch=z9hG4bK1_1dd23e34491f719767e4485_RAdamLW
Content-Length: 0
Max-Forwards: 70
Contact: <sip:AdamLW@192.168.1.205:53353;transport=tcp>;q=1;expires=900;reg-id=1;+sip.instance="<urn:uuid:c5d8a32d-6001-5bcf-a677-701e8342cc11>"
Allow: INVITE,CANCEL,BYE,ACK,SUBSCRIBE,NOTIFY,MESSAGE,INFO,PUBLISH,REFER,UPDATE
User-Agent: Avaya Flare Engine/2.0.0 (Avaya 2.0 64; Windows NT 6.1, 64-bit)
Supported: eventlist, replaces, vnd.avaya.ipo

09:02:57 465160171mS SIP Tx: TCP 192.168.16.63:6050 -> 86.135.156.104:53353
SIP/2.0 403 Forbidden
Via: SIP/2.0/TCP 192.168.1.205:53353;branch=z9hG4bK1_1dd23e34491f719767e4485_RAdamLW
From: <sip:AdamLW@79.121.220.140>;tag=1a46e03d58ac0244767e417c_FAdamLW192.168.1.205
Call-ID: 1_1dd23e3478305191767e407d_R@192.168.1.205
CSeq: 1 REGISTER
User-Agent: IP Office 9.1.0.0 build 437
Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,NOTIFY,INFO,SUBSCRIBE,REGISTER,PUBLISH
Supported: timer
Server: IP Office 9.1.0.0 build 437
To: <sip:AdamLW@79.121.220.140>
Content-Length: 0

Has anyone got any ideas what I could be doing wrong please?

Thanks in advance!

 

[Pepp77]

What is the Domain Name set to on the System-->LAN-->VoIP tab?

If it is a name and not blank then you need to set that in Communicator as the bit after AdamLW@ needs to match that for remote SIP extensions.

Pete

| ACSS SME |

 

[PaulCarter]

Hi,
Thanks for your reply, the domain field is blank on the VOIP tab.

 

[Pepp77]

Try setting the domain in communicator to the local IP address of the phone system.

However you should be using an FQDN when using remote devices. To confirm when you configure a system for one-x mobile you also configure it automatically for remote communicator.

I can also confirm that changing to 6050 will not be an issue as I myself do not use 5060 for remote SIP signalling.

| ACSS SME |

 

[PaulCarter]

Thanks,
I have changed the domain to the internal IP of the IPO and it now registers OK. However when you dial out from it, you don't get any speech and it doesn't seem to even know when the other party has accepted the call. At least I'm further forward than I was before I suppose!

 

[Pepp77]

That is 95% the firewall.

Ensure the following ports are opened

TCP
5222
5269
8069
8080
8443
8444
9443
8063

TCP/UDP

6050 (as this is what you have set for remote SIP)

UDP

The RTP Port range you have set on the system against RTP Port Number Range (NAT)

Also ensure on the firewall SIP ALG or SIP Transformations are turned off.

Then on the IPO ensure you have network topology set with the correct public IP address, and statically set it to Static Port Block (leave the UDP/TCP and TLS ports on this tab to 5060/506o and 5061 as they are not used for this setup).

I would also recommend on the VoIP tab turning on Keep Alives

Scope - RTP-RTCP
Initial Keepalive - Enabled
Periodic Timeout - 60

Moving forward I would recommend getting yourself an FQDN that can be used for this (1 required if on Server Edition and 2 if on an IPO and a separate App Server)

| ACSS SME |

 

[PaulCarter]

Thanks a lot that's great, I've passed those ports onto the customer's IT company. I naively thought that as it's just connecting over SIP it would only need the SIP port forwarding. They haven't got One X Portal or anything like that.

 

[janni78]

Please get an SBC when using remote extensions, opening all those ports to the system is not the greatest idea.

"Trying is the first step to failure..." - Homer

 

[Pepp77]

OK, Never done communicator without one-x portal being active as well.

In that case you can ignore

TCP
5222
5269
8069
8080
8443
8444
9443
8063

As these are the one-x portal ports and not needed for communicator.

I have personally never setup communicator without having setup a one-x portal server (due to wanting presence working) so not sure on how well it works without the correct FQDN/network topology setup.


| ACSS SME |

 

[amriddle01]

Both those things run on PC/smartphone, run them over VPN, problem solved and no security risk, win win

 

[PaulCarter]

We did have it working over a VPN but the customer's VPN client was causing very bad speech quality so they wanted to try it this way unfortunately until they get their VPN sorted properly!

 

[amriddle01]

We tend to use the built in VPN clients (Windows and Android/IOS) not really had any issues then

 

[ogTOKYO]

What VPN? Everytime I try VPN, it messes with the GroupVPN and causes remote phones to drop. Then my VPN on my phone causes my data to stop working. It's infuriating. LOL

______________________
|........................................|
|.....i.eat.bunny.children......|
|______________________|
(\__/) ||
(•Y•). ||
/ < )<||