Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

remote j179 without VPN or SBC 2

Status
Not open for further replies.

G0G3tt3r

Programmer
Nov 11, 2009
141
US
This is for a Business owner's home. After reading through the manuals I believe the phone has to see port 80 and 443 on the PBX plus 5060. I cant use those ports. can I change the ports in the j179 by inserting a colon and the port I would like to use after the IP address of my http server? Are there ports I am missing?
 
Don't do it.
Use a SBC or don't do it at all!


BAZINGA!

I'm not insane, my mother had me tested!
 
You can do this over NAT. Not recommended, but if you forward the following ports you can get your J179 and Equinox working without an SBC.

5060-5061 TCP
5060-5061 UDP
10000-20000 UDP ( check your RTP Range in IPO..This is my range )

Forward those ports to your IPO.

For provisioning phones on from outside the IPO LAN, you need to do an extra step.

First from within the LAN go to http:ipoffice_address/46xxsetting.txt and copy the txt to a file.

Now on a public web server that your J179 and Equinox can access, create a text file called 46xxsettings.txt and past in the contents you copied. Save.

You will also need to download the security certs from the IP Office and place them in the public web server were you created the 46xxsettings.txt file. Make sure the name of the cert matches what is in the 46xxsettings.txt file. Just search the 46xxsettings.txt for SET TRUSTCERTS and make sure your name the cert exactly what you see on that line.

Now in the J179 just specify the http address as the IP address to the web server you have those files stored on. When it boots up, it checks the http address for the 46xxsettigs.txt file, downloads the cert, and registers to the IP Office.

FYI.. I use an apache web server to host my phone settings files and firmware.

Although this works, you need to make sure your IP Office is hardened if you are exposing it this way. My system is a lab system, so I can afford to throw caution to the wind.

As tlpeter stated, the only way you SHOULD do this is with an Session Border Controller.
 
After reading that, I'm very impressed. You have just taken me up a notch.
 
Glad you figured it out..

Any chance you can tell us....what you did to figure it out

Travis Harper give us a great description of his method.
 
I created a firewall entry on the IPO side allowing ports 5060, 80, and 443 from the ip of the offsite phone. Just that one public IP had access to that port. Then the phone found the files and runs perfectly.
 
You should only use encrypted connections!

And with those ports the phone will be able to register but you will not hear any tone.

Need some help with IP Office?
 
You should really only be doing this over TLS (as @derfloh points out) and with non-standard ports. You'll need to sort out your certs too.

Ideally use the option for "Use Preferred Phone Ports" which will mean the below ports will be mapped as;

80 -> 8411
443 -> 411

This will be more secure as you don't want to have 80/443 open to the public.

Change your Remote TLS port to something random (but also memorable). Your auto-generated 46xxsettings.txt file will reflect this.

Make sure your firewall matches the above and you will have a better setup than the one you have currently.

ACSS (SME)

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top