Teleworker Help

[AlfredSpecial]

If i am using Teleworker in server only mode in a dmz with a private static ip address do i also need a dedicated public address to route to this from the firewall or do i tell the remote phones to point to the company public address on the firewall which will forward the specific ports to the MAS server?

Any help as i am really confused

thanks

 

[Mitelpassion]

Hi,

I have never really configured Teleworker in server only mode. You should configure the phones with a dedicated public IP address. The company should have more than one allocated. Use one of them. You then use the firewall to route all requests to this IP address to your internal IP for your MAS.

Hope this helps. It's a lot easier to use the MAS server in gateway mode

 

[AlfredSpecial]

Cheers Mitelpassion

that makes sense now

 

[andy4uk]

As Mitelpassion said, The company should have more than one allocated. Use one of them. You then use the firewall to route all requests to this IP address to your internal IP for your MAS.

The MAS server needs to be connected to a DMZ port on the company firewall, "THIS HAS TO BE A TRUE DMZ" otherwise you will have problems.

You will also need ports to be opened up on the Company firewall as this will be required to allow the phone to boot up and also allow the voice to pass either way.

Here are the ports that will required to be opened,
TCP 22(SSH) Server-Internet
TCP 443(HTTPS) Server-Internet
TCP 443(HTTPS) Server-LAN
TCP 6800,6801 and 6802 Server-LAN
TCP 6800,6801 and 6802 Server-ICP's
TCP 6801,6802 Server-Internet
UDP 69 Server-Internet
UDP 20,000 to 23,000 (RTP) Server-Internet
UDP 1024 to 65,535 (RTP) Server-LAN
UDP 1024 to 65,535 (RTP) LAN-Server

“Server” refers to the Mitel 6000 MAS

There is other ports to open up, this is only required if using a 5235 handset as a remote phone.

Hope this helps.

I think the reason many engineers set a teleworker as a ServerGateway is it bypasses the need to configure firewalls and DMZ, and makes the job alot less difficult.

 

[AlfredSpecial]

Thanks Andy

Do you not find that most customers prefer to use and manage their own firewall and already have a firewall in place?

 

[Mitelpassion]

Just to add to the true DMZ statement. A true DMZ is a firewall with 3 or more ports or network cards. In other words a port or network card dedicated to the DMZ.

There are ways of setting up a DMZ with two network cards doing port forwarding and all types of fancy footwork. This type of configuration is not supported for Teleworker.

 

[AlfredSpecial]

what extra ports need to be open for the 5235 handset?

 

[andy4uk]

Out of all the Teleworkers I have installed only two of them have been as a Server Gateway, Most customers will or would like to control what connects to their network and are a bit concerned that the Teleworker might end up being a weak link onto their network from the out side?

Just to make things a little harder, Mitel do not support firewalls at the customer end however they do support routers at the remote end, which you can find a list through the Teleworker documentation.

As for the Extra ports required for the connection of a 5235 are as follows,
TCP 3998/9 Internet-Server For the 5235
TCP 6880 Internet-Server For the 5235

TCP 3999 Server-LAN These are configured automatically
TCP 80 Server-LAN When setup as a Server/Gateway

TCP 3300 (VFA) Server-Internet and Server-LAN Optional VoiceFirst