set up for 9608 VPN phone 5

[headcase69]

hey guys,

i was going to try and set up a 9608 phone to be a VPN phone. i think i have all the programming set up in the IP Office? i have the extension set up as 225 and tick mark box for "allow remote extn"

im just not sure how to set up the Netgear FVS338.... we have multiple PUBLIC IP ADDRESS. im not sure how to set up a route in the firewall? or do i need too? i would think yes, but i need a little help..

 

[amriddle01]

You are getting confused between remote H3232 extensions and VPN phones. Remote extns rely upon port forwarding in the router only, VPN phones need a VPN tunnel configuring between it and the router, which are you trying to do ?

 

[amriddle01]

H323 even

 

[amriddle01]

Here is the basics for remote extn's:

Remote H323 Extensions


For IP Office Release 8.0+, the configuration of remote H323 extensions is supported without needing those extensions to be running special VPN firmware. This option is intended for use in the following scenario:

· The customer LAN has a public IP address which is forwarded to the IP Office system. That address is used as the call server address by the H323 remote extensions.

· The user has a H323 phone behind a domestic router. It is assumed that the domestic router allows all outbound traffic from the home network to pass through and allows all symmetric traffic. That is, if the phone sends RTP/RTCP to a public IP address and port, it will be able to receive RTP/RTCP from that same IP address and port. If this is not the case, the configuration of the user's router to support that is not covered by this documentation.



· Supported Telephones
Currently remote H323 extension operation is only supported with 9600 Series phones already supported by the IP Office system.

· License Requirements
By default only 2 users can be configured for remote H323 extension usage. Additional users can be configured if those additional users are licensed and configured with either Teleworker or Power User user profiles.



Customer Network Configuration

The corporate LAN hosting the IP Office system requires a public IP address that is routed to the LAN interface of the IP Office system configured for remote H323 extension support.

STUN from the IP Office system to the Internet is used to determine the type of NAT being applied to traffic between the system and the Internet. Any routers and other firewall devices between the H323 phone location and the IP Office system must allow the following traffic.

Protocol
Port
Description

ICMP
–
Incoming ICMP to the IP Office system's public IP address must be allow.

UDP
1719
UDP port 1719 traffic to the IP Office system must be allowed. This is used for H225 RAS processes such as gatekeeper discovery, registration, keepalive, etc. If this port is not open the phone the phone will bot be able to register with the IP Office system.

TCP
1720
TCP port 1720 traffic must be allowed. This is used for H225 (call signalling).

RTP
Various
The ports in the range specified by the system's RTP Port Number Range (Remote Extn) settings must be allowed.

RTCP

UDP
5005
If the system setting Enable RTCP Monitoring on Port 5005 has been enabled, traffic on this port must be allowed to include remote H323 extensions in the monitoring.




User Network Configuration

It is assumed that the domestic router allows all outbound traffic from the home network to pass through and allows all symmetric traffic. That is, if the phone sends RTP/RTCP to a public IP address and port, it will be able to receive RTP/RTCP from that same IP address and port. If this is not the case, the configuration of the user's router to support that is not covered by this documentation.



IP Office System Configuration

This is a summary of the IP Office system configuration changes necessary. Additional details and information for H323 telephone installation are included in the IP Office H323 IP Telephone Installation manual. This section assumes that you are already familiar with IP Office system and H323 IP telephone installation.

1. Licensing
If more than 2 remote extension users are to be supported, the system must include available Teleworker and or Power User licenses for those users.

2. System Configuration
The following needs to be configured on the IP Office system LAN interface to which the public IP address is routed.

a. Select System | LAN1/LAN2 | VoIP. Check that the H323 Gatekeeper Enable setting is selected.

b. Due to the additional user and extension settings needed for remote H323 extension configuration, we assume that the extension and user entries for the remote H323 extensions and users are added manually.

c. Select H323 Remote Extn Enable.

d. Set the RTP Port Number Range (Remote Extn) range to encompass the port range that should be used for remote H323 extension RTP and RTCP traffic. The range setup must provide at least 2 ports per extension being supported.

3. Network Topology Configuration
STUN can be used to determine the type of NAT/firewall processes being applied to traffic between between the IP Office system and the Internet.

a. Select the Network Topology tab. Set the STUN Server IP Address to a known STUN server. Click OK. The Run STUN button should now be enabled. Click it and wait while the STUN process is run. The results discovered by the process will be indicated by ! icons next to the fields.

b. If STUN reports the Firewall/NAT Type as one of the following, the network must be reconfigured if possible as these types are not supported for remote H323 extensions: Static Port Block, Symmetric NAT or Open Internet.

4. H323 Extension Configuration
H323 remote extensions use non default settings and so cannot be setup directly using auto-create.

a. Within Manager, add a new H323 extension or edit an existing extension.

b. On the Extn tab, set the Base Extension number.

c. On the VoIP tab, select Allow Remote Extn.

d. The other settings are as standard for an Avaya H323 telephone. Regardless of direct media configuration, direct media is not used for remote H323 extensions.

5. User Configuration
The following settings are used to specify that the user is allowed to use a remote H323 extension.

a. On the User tab, set the User Profile to Teleworker or Power User.

b. Select Enable Remote Worker.



Phone Configuration

The phones do not require any special firmware. Therefore they should first be installed as normal internal extensions, during which they will load the firmware provided by the IP Office system.

Once this process has been completed, the address settings of the phone should be cleared and the call server address set to the public address to be used by remote H323 extensions.

It is assumed that at the remote location, the phone will obtain other address information by DHCP from the user's router. If that is not the case, the other address setting for the phone will need to be statically administered to match addresses suitable for the user's home network.

 

[headcase69]

thanks for clearing that up!! you guys rock!!!

ok... so i have a public IP address on the FVS338.... so i just need to forward the ports to the lan address of the IPO...

what ports do i need to forward??? 1719,1720

do i need to forward any others?

thanks for you help so far...

 

[headcase69]

Its just a remote phone not a VPN phone.

I think I get the part where I web the call server up address to the public ip address. Im. It sure about the STUN part of it. Do I need to put any special ip route in the IPO?

 

[headcase69]

OK..... im lost....

dont know if i need another ip route....

any help would be great..

 

[tlpeter]

You need to forward 1719 (UDP) and 1720 (TCP) like mentioned above and the rtp ports ocnfigured on your lan port of the IPO (system -> lan x)


BAZINGA!

I'm not insane, my mother had me tested!

 

[headcase69]

The RTP ports...... Are they the addresses that look like 49125-53246

Also the port 5005.....is that for the monitor program?

Thanks again for your help.

 

[amriddle01]

Yes, those are the RTP ports (they carry the voice traffic) don't worry about 5005 it isn't required it's just for SSA to monitor qos stats which it gets completely wrong anyway

 

[headcase69]

OK... i have set up the routes in the firewall, but now the phone is displaying...... registering, then goes blank..... it repeats this over and over. i dont know if this means the IPO can see the phone or the other way around?

in SYSTEM/LAN1/NEWORK TOPOLOGY what type of "firewall/NAT" should i select? im using a netgearFVS338

 

[headcase69]

set the firewall type to "unknown" and the phone gives me....

discover 192.168.1.30(ip address of IPO)

then goes to discover xxx.xxx.xxx.xxx(external IP address)

normally with IP phones this means i have an IP route issue. i thought with the remote phone, you didnt have to worry about this? we do have IP phones in the office that are working...dont know if that means anything?

 

[headcase69]

what does it mean when you get a blank screen?

when the phone is working, should you be able to see it in "Monitor" under the status of H323 phones?

i think i see the phone in "monitor" under status/H323. the extension is 225 which i think i see? in the "phone type" column it says "NoPhone". the other IP phones show the model type....

 

[headcase69]

i dont have the "discover" message anymore...

in monitor.... it shows extn 225 (the remote extn) and i can also see the ip address from my remote location (it looks like a public IP address). it looks like the phone is connected, but im not getting anything on the screen of the phone.

the funny thing is, when i press the "menu" button on the 9630, all the options come up and i can see the all the settings i can change things like the contrast, ringing, ect....

I CAN FEEL IT.....IM ALMOST THERE!!

 

[headcase69]

does this help any? here is a little bit of what "monitor" says is happening???

4258321mS H323Evt: Recv: RegistrationRequest 192.168.1.116; Endpoints registered: 3; Endpoints in registration: 0
4262658mS H323Evt: Recv GRQ from 43bb6d70
4262658mS H323Evt: e_H225_AliasAddress_dialedDigits alias
4262658mS H323Evt: found number <225>
4262736mS H323Evt: Recv: RegistrationRequest 67.187.109.112; Endpoints registered: 3; Endpoints in registration: 0
4262736mS H323Evt: e_H225_AliasAddress_dialedDigits alias
4262737mS H323Evt: found number <225>
4262737mS H323Evt: RRQ --- CallSigProtocol is H323AnnexL_P. Go for Avaya 4600IP phone
4262737mS H323Evt: RRQ --- Register extn 225 using product IP_Phone, version 3.186a
4262738mS H323Evt: <225> registered, ipo behind nat 1, phone behind nat 1

the last line...."ipo behind nat 1" does this mean i need to do something with the STUN settings in IPO? if so, i would need some guidence as what to program....

 

[headcase69]

Holy Crap!!! i finally got the phone to come up with its buttons and works great......except i cant get any dial tone or voice yet....

i have a DID set up for the extension and when i call it the phone rings like all is working, but when i answer the phone, i dont hear anything.

i tried to take off "allow direct media path" but that didnt work.

what else might i check?

SO CLOSE!!!!!!!!

 

[amriddle01]

That is usually down to the port forwarding not being followed or not configured correctly, at least when I have the same issue that's what it's been

 

[headcase69]

you think its an "outbound" issue?

 

[headcase69]

ok..... got it working!!!!!

i had to change the "firewall/NAT type" under SYSTEM/LAN1/NETWORK TOPOLOGY

i had to change to "static port block"

thanks for all your help guys. this is why i love the site!!!!

 

[madwok]

Headcase69,

Thank you for coming back here and post your results & discovery.

All my "remote" phones are thru corporate VPN/MPLS, but now I am tempted to experiment for remote home workers with release 8