Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address 10

Status
Not open for further replies.

dsm600rr

IS-IT--Management
Nov 17, 2015
1,444
US
Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:

1_xm3swl.jpg


I have not moved any further in the document as of now.

Thank you.

ACSS
 
There is another thing I do as well, that really cuts down attempted VOIP attacks.
I block port 5060/5061 and configure my IP Office to use a non standard ports for SIP.

I also change the SSH Port to something other than 22 as well, and block port 22.

I have been trying to play with the linux firewall, and installed fail2ban, and was going to enable GeoIP Country backing a, but I can't get that to work that has to do with firewallD or IP Tables in IP Office.

 
Travis Harper: Appreciate all the info

Are you just referring to the Remote Ports?

Where is the SSH Port?

1_xpl0pe.jpg


2_yd2i7g.jpg


ACSS
 
Yep... @ Travis what alternate port can dsm600rr replace those with?
 
also after you replace them you need to link with your Firewall guy to update the rules on his end.
 
Sparrow4: Thank you. I just wanted to confirm those are the correct ports I am changing before I do so.

What are some good alternatives?

ACSS
 

I change them both on my system, not just remote.
5064 5065 are good alternates. It does not really matter as long as it's not 5060 5061.

 
the ssh port is a bit tricky.

You need to ssh in to the IP Office, escalate to root, and edit the /etc/sshd/sshd_config file.
 
Travis Harper:

Thank you.

Look good?

11_pq5xf9.jpg


2222_p9vudm.jpg


ACSS
 
So I updated the port in IX Workplace to 5065 and that is working perfectly, however it broke my SIP Trunk.

Firewall has ports 5060 / 5061 blocked and updated to 5064 / 5065

I updated the port here:

666_hlvdnr.jpg


Thoughts?

ACSS
 
try revert only send port to 5060, UDP and TCP port to 5060. Leave layer 4 protocols TLS to 5065, remote UDP and TCP to 5064, remote TLS to 5065. Public UDP and TCP to 5064, Public TLS to 5065.
 
I think the default/ non remote UDP, TCP and TLS are for internal use. I wouldn't block those port specifically but just have the Firewall guy update the old rule from 5060 and 5061 with 5064 and 5065.
 
Yup. Once you change the ports on the IP Office, you need to change on the Sip Lines, and also with your sip providers.
I use DIDWW.com. So I log into DIDww.com account change my inbound sip trunk to use port 5069, since that is what my IP Offie listening on.

Screen_Shot_2020-10-01_at_10.42.37_AM_tlutbb.png
 
@Travis. dsm600rr shouldn't revert anything and make the changes you mentioned?
 
All,

Working with my firewall guy, we came up with the following:

Port 5060 is only allowing inbound traffic from our SIP Provider through

Port 5061 is Blocked

Port 5064 / 5065 are open for IX Workplace

111_fxados.jpg


1111111_kxlw1m.jpg


ACSS
 
Just an update, updating the ports halted all outside attacks. Have not had one hit since the update.

ACSS
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top