J179 H.323 VPN Phones "Discover" after enabeling TLS and updating Ports 2

[dsm600rr]

Hello All,

I have a few VPN Phones that stopped working after enabling TLS and updating Remote Ports on the IPO

I do not see anywhere to update any ports on the J179. Is this a certificate error? I do not see any Certificate Errors in SSA.

Phones currently VPN back to a Cisco ASA and the tunnel builds just fine.

Thoughts?

ACSS

 

[derfloh]

Pretty sure that it's a certificate issue. What ports did you update?

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: The remote and Public Ports for UDP / TCP / TLS



ACSS

 

[derfloh]

That shouldn't be an issue in this case because VPN phones are no remote ohne by definition. IPO only recognizes this as remote phones if the VPN gateway does NAT.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: The VPN Phones have been working fine for months. After I got TLS Working and Updated the ports for IX Workplace, they will VPN in, ask for a extension and pass and then go to discover.

ACSS

 

[derfloh]

Then I have to ask again if they are behind NAT

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: I will confirm with the Firewall Guy Monday and report back.

ACSS

 

[dsm600rr]

derfloh: Firewall Guy said we ARE behind NAT

ACSS

 

[derfloh]

That's why IPO sees it as remote phone and the remote port change has this effect.

They have to pull the full settings file again. I guess it's only done after a reset.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Makes sense. I have the phone back at the office and cleared. I’ll take it home tomorrow and update, thank you.

ACSS

 

[dsm600rr]

Still no go on the VPN Phone. I even put the ports back to default for now.

The only thing I see from the phone in Monitor on default trace options from the phone is:

16:25:39 15398581mS PRN: Service Access Connection from 10.10.10.4(43674) to Port 80

What trace options should I enable to figure out what is going on?

Thank you.

ACSS

 

[derfloh]

Disable NAT

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Have my firewall guy disable NAT and re-test?

ACSS

 

[derfloh]

Yes

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[janni78]

If you already have IX Workplace working from remote location why not run the J179 as remote SIP phone?

"Trying is the first step to failure..." - Homer

 

[dsm600rr]

janni78: Is there documentation on how to do so without an ASBCE? Process on loading the TLS Certs on the phones?

ACSS

 

[janni78]

They would get the settings file the same way as IX clients which should tell them the cert to download.

You can check [URL unfurl="true"]https://ipofficekb.avaya.com/[/url] under Installation -> SIP phones.

"Trying is the first step to failure..." - Homer

 

[dsm600rr]

janni78: I manually installed the Certificates on my cell phones (root-ca.crt) and PC's (.p12) in the windows certificate import wizard.

I am only seeing documentation on remote phones with an ASBCE.

What I did at my office is Default the phone and put it on my Data VLAN (where all the remote IX Workplace Applications Register)

When it reboot, it asked to "Enter Provisioning Details" - I entered in my FQDN

The phone re-boot again and I was able to log in. I also see the extension using TLS in SSA. I am assuming there is more setup than this however I will not be able to test the phone remotely until tonight.

ACSS

 

[derfloh]

You have to ensure that the IPO delivers the needed root certificate(S) as WebRootCA.pem. A J-Series phone has to load the 46xxsettings.txt and will load the WebRootCA.pem in the next step. Afterwards it will trust the needed CAs.

You can either load the files through HTTP or if you want to do it through HTTPS the phone has to be pre provisioned locally so that it will trust the certificates.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Thank you, Sir. The phone is currently logged in locally on my PBX - how can I confirm it grabbed the WebRootCA.pem

ACSS