Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address 10

Status
Not open for further replies.

dsm600rr

IS-IT--Management
Nov 17, 2015
1,444
US
Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:

1_xm3swl.jpg


I have not moved any further in the document as of now.

Thank you.

ACSS
 
@Sparrow4 - Yes I just am not sure which ones.

I Installed this one on my IPO:

2222_owppbm.png


And downloaded these two:

66666_cfidp2.png


ACSS
 
You need to install the root in trusted root certs, on your device ( Windows/Mac/IOS/Android)
But, hey install them both for good measure. Just make sure to trust them. This process varies depending on Device. I am a Mac user, so I open the cert in Keychain access app, and set to to always trust.

 
@Travis Harper: Does your certificate SAN work as?:

DNS:pfcommunications.com,DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:173.XXX.XXX.XXX,URI:sip:192.168.1.251

192.168.1.251 is my Internal for the PBX

ACSS
 
Not to confuse anyone please clarify why for both dsm600rr and myself @Travis H - derfloh - Pepp77 - JazzWizzard.
I understand that dsm600rr and I won't have the exact same config. in the example of a windows user:
1-In a browser from the windows PC I go to to download the cert
2- Search and find the downloaded WebRootCA.pem on the Windows machine, rename the file to WebRootCA.cer, then install it

That's how installing my cert is working for me. Should dsm600rr do the same?
 
My main confusions are:

Since pfcommunications.com points to some other public IP Address, guessing whoever hosts our website, should I be using that for the SIP Domain Name?

Or should I be using ix.pfcommunications.com for both the SIP Domain Name and SIP FQDN?

If so, should my SAN look like this:

DNS:DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:173.XXX.XXX.XXX,URI:sip:192.168.1.251

or This?

DNS:DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com

ACSS
 
@dsm600rr

The sip domain does not need to be routable to the IP Office.
Only The FQDN does.

How I had it setup and working...until recently.
my sip domain is tharper.ca which resolves to a web server I run internally and my public Ip Externally <-NAT firewall is port 80
my FQDN is sip.tharper.ca, which resolves to my IP Office internally, and public IP externally <- Firewall NAT rules in place and using IP office preferred ports so I don't conflict with port 80 on my web server.

DNS:sip.tharper.ca,DNS:tharper.ca,IP:192.168.0.242,IP:24.77.69.177,URI:sip:sip.tharper.ca,URI:sip:tharper.ca,URI:sip:192.168.0.242,URI:sip:24.77.69.177

Today, I do it differently. I have my LAN 1 directly connected to the internet, with the public ip. (its just a lab). My SAN is much smaller now with just 3 entries. DNS, IP, SIP on the public IP.

 
For what its worth, I tear down and rebuild my IP Office at least twice a month. I've gotten pretty used setting it up.
 
@dsm600rr
try this maybe I have it like that
Can you try this
DNS:ix.pfcommunications.com,DNS:pfcommunications.com,IP: IPO Private IP on LAN1,IP: IPO Public IP on LAN 2,IP: IPO Public on LAN1
Make Changes accordingly
DNS:ix.pfcommunications.com,DNS:pfcommunications.com,IP:192.168.1.251,IP:
 
DNS:ix.pfcommunications.com,DNS:pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:pfcommunications.com,URI:sip:192.168.1.251,URI:sip:173.XXX.XXX.XXX



11_qh7ihc.png



3_nnmooq.png



433_eqxavo.png



8888_tun9z4.png



IMG_2599_axiapp.png



IMG_2600_omqvao.png



IMG_2601_fem9ph.png



IMG_2602_b5vvwf.png



IMG_2603_dry1dr.png



456_gt33il.png



45678_y6zbfz.png



dsfdsfdsfdsf_bvhbf6.png



IPO Connectivity:

WAN: This is my Voice VLAN, where the IPO Is acting as the DHCP Server, All my internal phones register, and My SIP Trunk comes in. The public IP Here is my Firewall for the SIP Trunk:

WAN_t7byfm.png




LAN: This is on my Data VLAN and where I have the SIP Domain / FQDN. The public IP here is an open one on our block.

LAN1_sqo6gi.png


LAN2_xwhszp.png



ACSS
 
Internally, if I ping ix.pfcommunications.com it resolves to my PBX on the Data VLAN

Ping_r0wesv.png


ACSS
 
Cleaning up my notes to send them to you. Give me by tomorrow.
 
The only thing I noticed from your screenshots is that IX Workplace is connected via LTE, and your ping screenshot is showing 192.168.1.251
If you put your iPhone on the same lan as the IP Office, does it connect?

From my location, if I ping ix.pfcommunications.com, it gets timed out.
Also, I can't browse to ix.pfcommunications.com/46xxsettings.txt

Connected over LTE will not work as it's configured now, regardless of how the cert is setup.




 
one thing that also helped.
In the meantime
from IPO ping the IPO gateway subnet
from IPO ping internal DNS
from IPO ping 8.8.8.8
Those need to be successful
+++++++++++++++++++++++++


 
@Travis Harper

"If you put your iPhone on the same lan as the IP Office, does it connect?" - Yes it does.

"From my location, if I ping ix.pfcommunications.com, it gets timed out." - Mine does as well. It used to show my Public IP, I wonder why it no longer does. If I do a nslookup it works. So does DNS Checker. Any ideas why this may be?

Internally if I ping ix.pfcommunications.com it resolves to my IPO

ACSS
 
@Sparrow4

"from IPO ping the IPO gateway subnet"
1_j8zrm5.png


"from IPO ping internal DNS"
2_j5yhm1.png


"from IPO ping 8.8.8.8" **Not sure why this one shows the Voice VLAN 172.30.20.1 (IPO WAN) - Shows this when I tested with both the LAN / WAN**
3_pmlr1j.png


ACSS
 
I think as far as IPO goes, you are good.

FYI.. when I ping the domain, it does how the public IP and that means the DNS is working. No response or timeout means the firewall is blocking any type of response. The packet does not know where to go.

You just need to work on the firewall, so you register externally.
Are you using a Session Border Controller, or are you just doing Firewall NAT rules?



 
Travis Harper: I have a decent Cisco guy

Is there anything in particular I should pass along to him to do on the ASA?

"when I ping the domain, it does how the public IP and that means the DNS is working" - What are you pinging? Do you mean here:?

1_ij3pqn.png


No SBC.

ACSS
 
It means the DNS sever is configured properly. The domain is resolving to the correct IP address. The ping is timing out because the ASA is not configured properly.
The ASA is blocking all packets from reaching the IPO.

Everything from this point on requires your ASA guy to do some work.

You need your ASA guy to forward port 5060-5061TCP to the internal IP Address if the IPO.
You will also need the ASA guy to forward the RTP range to the internal IP if the IP Office.

You will also need the ports 80 and 443 forwarded add well. If you have checked “use preferred ports” the instead of 80 and 443 forward 411 and 8411.

That should be all you need for IX Workplace.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top