H323 Extensions with Sonic Firewall

[jimbo1007]

Hi,

We are about to install a new IP office and there are 5 x H323 extensions which are going to be placed in a remote office. We have installed H323 extensions successfully a couple of times before but on this occasion there is a sonic firewall in place between the two offices. The provider of the sonic firewall has asked us if there is anything they need us to do. We have not installed over a sonic firewall before so is there anything we should bear in mind when doing this or should be just ask them to forward the usual port ranges which are forwarded for H323.

Thanks in advance,

 

[hairlessupportmonkey]

I guess it should be the same as any other firewall. Some Port forwarding / firewall policies, but in the case of the Sonicwall make sure H323 transforms are off.

ACSS - SME
General Geek

 

[jimbo1007]

Do you have a copy firewall polices? Would be much appreciated.

 

[hairlessupportmonkey]

afraid not. Im a watchguard whore. Sonicwall is the enemy.

ACSS - SME
General Geek

 

[ayking]

Does the remote office has a Sonicwall as well? If so they should set up a site-to-site VPN and your H323 phones will be connected as if on the local network.

 

[nnaarrnn]

There is a document out there that shows how to make the 96xx phones VPN to a Sonicwall (best idea for remote phones that aren't in a site to site VPN), but I've not had any luck with it.

 

[jimbo1007]

The customer has a sonic wall at both ends and a vpn between the two, so in this case do we need to even forward the ports? Could we just set up the handset as a local handset?

Thanks in advance,

 

[nnaarrnn]

If there's an existing site to site VPN, then yes, you can use them as local handsets without forwarding any ports.

 

[ayking]

There is no need for forwarding and the cleanest solution is when you have site-to-site vpn. If they are on different subnet just make sure you have a route at each end pointing them over the vpn.

@nnaarrnn: I've got a 9608 VPN to a Sonicwall NSA240 by following the instructions in Technical Tip 190 and the information on this link:
[URL unfurl="true"]https://support.avaya.com/forums/showthread.php?t=213[/url]

Here is the 96xxvpn.txt I made:

SET NVVPNMODE 1
SET NVSGIP <NSA240 Public IP>
SET NVIKEXCHGMODE 1
SET NVIKECONFIGMODE 1
SET NVVPNAUTHTYPE 4
SET NVVPNUSER <NSA240 Local User>
SET NVVPNPSWDTYPE 1
SET NVVPNCOPYTOS 2
SET NVVPNENCAPS 0
SET NVIKEPSK <VPN Pre-shared key>
SET NVIKEID GroupVPN
SET NVIKEIDTYPE 2
SET NVIPSECSUBNET <Internal subnet of IP Office in /24>
SET NVIKEDHGRP 2
SET NVPFSDHGRP 2
SET NVIKEP1ENCALG 1
SET NVIKEP2ENCALG 1
SET NVIKEP1AUTHALG 2
SET NVIKEP2AUTHALG 1
SET NVXAUTH 1
SET VPNCODE 876
SET VPNPROC 2
SET NVMCIPADD <IPO LAN1 IP>
SET NVHTTPSRVR <IPO LAN1 IP>
SET NVIKEOVERTCP 1
SET NVIKEP1LIFESEC 28800
SET NVIKEP2LIFESEC 28800
SET NVVPNSVENDOR 4
SET NVVPNUSERTYPE 2

On the NSA I have these:

IKE proposals matching those in 96xxvpn.txt
Enable IKE Mode Configuration - checked
IP Pool for Clients - IP Pool created within VPN zone
Address Expiry Time - 28800 (to match IKE lifetime)
Require authentication of VPN clients by XAUTH - checked
User group for XAUTH users - NSA local user group that includes the VPN user above in NVVPNUSER
Virtual Adapter settings - DHCP Lease or Manual Configuration

 

[jimbo1007]

Ayking;

Do I need to enter the above into the handset if both sites are on the same subnet?

The sonic wall is a TZ 125 and the handsets are currently just saying discover 192.168.168.121 (the ip of the ip office at main site)

Regards,

 

[ayking]

If the two sites are on 2 ends of the site-to-site VPN, they really shouldn't be on the same subnet. If it is then the network engineer need to learn how to set a network and VPN up properly.

And if they are on a site-to-site VPN, then no you shouldn't have VPN enabled on the phone as the VPN is handled by the Sonicwalls.