Teleworker firewall config

[TDressel]

Hi folks,

We deployed a new 3300 with a bunch of 5360's last month, and I finally got a chance to bring my phone home tonight to test the teleworker setup. I was pretty excited to see that the phone connected up when I fed it the IP of the 3300 (it is port forwarded wide open for this testing). It received it's config, my message waiting lamp went on blinking, could ring for a call inbound, even downloaded the screen saver.

But no audio, inbound or outbound.

My digging has shown that this must be firewall related, but I was not able to stick the phone outside my firewall (could not get an IP on the phone due to MAC restrictions from my home ISP). I was able to port forward everything though (1-65535 TCP/UDP) to the LAN address of the phone from the WAN address on my firewall as a test. I'm using a pfSense firewall (WAN connected to a DOCSIS 3 modem, LAN connected to a small consumer grade 8 port gigaswitch).

I was pointed at the 3300 directly, but I also tried pointing at the MBG, but the latter just rejected the connection.

I'm reasonably confident the issue is not on the 3300 side. There is a good chance we will use this teleworker mode in the coming months as we begin to realize what amazing flexibility it could give us! I'm hoping there might be some advice here. One of the folks who hangs on this board was our lead installer, and I've bounced this message by email to him as well.

With regards,

Tim

 

[danramirez]

Tim,

Is the MBG connected in "Server Only" or "Server and Gateway" mode?

If in "Server Only" what ports have you forwarded from the WAN to DMZ?

Have a close look at the MBG Eng. Guidelines, everything is there but it have to be carefully followed.

Post back with more information. Don't forget to tell us MCD Version and MBG as well.

Regards,

Daniel

http://www.hatkana.com

http://www.wtelecom.com

 

[LoopyLou]

If your MBG rejected your teleworker then most likely you have not setup in the MBG as a teleworker phone. If you open up your firewall to allow a remote phone to connect you need to make sure you open all the right ports. Signalling uses different ports then voice. Also if you are calling IP sets on your site from home you got to keep in mind that the voice will stream directly between the IP of the phone and the IP of your home router. Your corporate network would need to allow the VLAN with the phones the ability to route to the IP of your home router. Thats part of the reason for the MBG. All the external traffic goes to one point and internal phones see traffic from the MBG so internal routing is simpliar.

I'd tell you a UDP joke but I'm afraid you won't get it. TCP jokes are the best because you always get them.

 

[kwbMitel]

@TDressel, I have it on good authority that the installer tested a remote teleworker via the public IP of the MBG server(Server only mode BTW). Do you know if anything has changed?

**********************************************
What's most important is that you realise ... There is no spoon.

 

[308win]

When you 'pointed' the phone at your MBG did you do so by holding the 7 key at boot up and entering your MBG IP address?. Once booted and attached to the MBG you then enter the TW install password, or you manually enter the MAC on your MBG. And then it 'just works'. You shouldn't need to port forward anything on your home firewall with your phone in Teleworker mode.

 

[kwbMitel]

Answering for TDressel as I installed this thing.

The TW is responding and asking for the TW Password but at the same time is saying connection refused.

I suspect the peering between the MBG and the MAS has failed and the licensing is not apparent on the MBG.

**********************************************
What's most important is that you realise ... There is no spoon.