Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address 10

[dsm600rr]

Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"

https://files.engineering.com/getfi...-b94e-c42db992ca0e&file=sip_extensions_en.pdf

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:

I have not moved any further in the document as of now.

Thank you.

ACSS

 

[Sparrow4]

 

[Travis Harper]

Right on. Security through obscurity.

 

[critchey]

Glad you got it working but your IP route was the reasoning that you were trying to ping with the LAN port but it was going out the WAN port(and why it wasn't working):

On the LAN port you have an IP Route:
192.168.1.0
255.255.255.0
192.168.1.1

On the WAN port you have an IP Route:
0.0.0.0
0.0.0.0
172.30.20.254

This means that anything not on the 192.168.1.X subnet will use the WAN port IP route.

The truth is just an excuse for lack of imagination.

 

[bahmonkeys]

@dsm600rr

For security reasons you should not have 5060 opened on your firewall. I have noticed you Nat'd the external port to UDP 5064, this is still an unencrypted port which if anyone is listening on your network will see the Registration for these Sip clients username and password in plain text. Bots scan your external IP and all ports that are open, they will see this 5064 open and attack it, not as fast as port 5060 but it is a security issue that you should resolve.

Use the encrypted port 5061 TLS, external port 5065 TLS, people above and loads of other threads have explained exactly how to install the identity certificate for the Sip clients.

If you don't believe me, run a Network scanner against your public IP and you will see the results.

When you are creating the certificate have both the DNS names in the certificate.

 

[dsm600rr]

bahmonkeys: we have 5060 opened only for two IP Address from our SIP Provider.

Can you elaborate a bit on exactly what I should update. Is this just in reference to:

Remote UDP Port: 5064
Remote TCP Port: 5064

Public Ports:
UDP: 5064
TCP: 5064



ACSS

 

[bahmonkeys]

You changed the ports on the Avaya IPO but did you block them on your edge router.

You use SIP Providers, Lock down the port 5064 to the SIP Providers public IPs on your Firewall and block port 5060 and 5064 UDP/TCP.

For IX Workplace registration, use port 5061 TLS for external access.

This is a public forum and you shouldnt have shared your DNS records, anyone can scan your public IP and find these ports opened. Look into GEOIP filters and create security layers.

 

[dsm600rr]

bahmonkeys: Like this?

ACSS