hey guys,

i was going to try and set up a 9608 phone to be a VPN phone.  i think i have all the programming set up in the IP Office?  i have the extension set up as 225 and tick mark box for "allow remote extn"

im just not sure how to set up the Netgear FVS338....  we have multiple PUBLIC IP ADDRESS.  im not sure how to set up a route in the firewall? or do i need too?  i would think yes, but i need a little help..

You are getting confused between remote H3232 extensions and VPN phones. Remote extns rely upon port forwarding in the router only, VPN phones need a VPN tunnel configuring between it and the router, which are you trying to do ?

H323 even

Here is the basics for remote extn's:

Remote H323 Extensions
 

For IP Office Release 8.0+, the configuration of remote H323 extensions is supported without needing those extensions to be running special VPN firmware. This option is intended for use in the following scenario:

· The customer LAN has a public IP address which is forwarded to the IP Office system. That address is used as the call server address by the H323 remote extensions.

· The user has a H323 phone behind a domestic router. It is assumed that the domestic router allows all outbound traffic from the home network to pass through and allows all symmetric traffic. That is, if the phone sends RTP/RTCP to a public IP address and port, it will be able to receive RTP/RTCP from that same IP address and port. If this is not the case, the configuration of the user's router to support that is not covered by this documentation.



· Supported Telephones
Currently remote H323 extension operation is only supported with 9600 Series phones already supported by the IP Office system.  

· License Requirements
By default only 2 users can be configured for remote H323 extension usage. Additional users can be configured if those additional users are licensed and configured with either Teleworker or Power User user profiles.  

 

Customer Network Configuration

The corporate LAN hosting the IP Office system requires a public IP address that is routed to the LAN interface of the IP Office system configured for remote H323 extension support.

STUN from the IP Office system to the Internet is used to determine the type of NAT being applied to traffic between the system and the Internet. Any routers and other firewall devices between the H323 phone location and the IP Office system must allow the following traffic.

Protocol
 Port
 Description
 
ICMP
 –
 Incoming ICMP to the IP Office system's public IP address must be allow.
 
UDP
 1719
 UDP port 1719 traffic to the IP Office system must be allowed. This is used for H225 RAS processes such as gatekeeper discovery, registration, keepalive, etc. If this port is not open the phone the phone will bot be able to register with the IP Office system.
 
TCP
 1720
 TCP port 1720 traffic must be allowed. This is used for H225 (call signalling).
 
RTP
 Various
 The ports in the range specified by the system's RTP Port Number Range (Remote Extn) settings must be allowed.
 
RTCP
 
UDP
 5005
 If the system setting Enable RTCP Monitoring on Port 5005 has been enabled, traffic on this port must be allowed to include remote H323 extensions in the monitoring.
 

 

User Network Configuration

It is assumed that the domestic router allows all outbound traffic from the home network to pass through and allows all symmetric traffic. That is, if the phone sends RTP/RTCP to a public IP address and port, it will be able to receive RTP/RTCP from that same IP address and port. If this is not the case, the configuration of the user's router to support that is not covered by this documentation.

 

IP Office System Configuration

This is a summary of the IP Office system configuration changes necessary. Additional details and information for H323 telephone installation are included in the IP Office H323 IP Telephone Installation manual. This section assumes that you are already familiar with IP Office system and H323 IP telephone installation.

1. Licensing
If more than 2 remote extension users are to be supported, the system must include available Teleworker and or Power User licenses for those users.  

2. System Configuration
The following needs to be configured on the IP Office system LAN interface to which the public IP address is routed.  

a. Select System | LAN1/LAN2 | VoIP. Check that the H323 Gatekeeper Enable setting is selected.  

b. Due to the additional user and extension settings needed for remote H323 extension configuration, we assume that the extension and user entries for the remote H323 extensions and users are added manually.  

c. Select H323 Remote Extn Enable.

d. Set the RTP Port Number Range (Remote Extn) range to encompass the port range that should be used for remote H323 extension RTP and RTCP traffic. The range setup must provide at least 2 ports per extension being supported.  

3. Network Topology Configuration
STUN can be used to determine the type of NAT/firewall processes being applied to traffic between between the IP Office system and the Internet.  

a. Select the Network Topology tab. Set the STUN Server IP Address to a known STUN server. Click OK. The Run STUN button should now be enabled. Click it and wait while  the STUN process is run. The results discovered by the process will be indicated by ! icons next to the fields.  

b. If STUN reports the Firewall/NAT Type as one of the following, the network must be reconfigured if possible as these types are not supported for remote H323 extensions: Static Port Block, Symmetric NAT or Open Internet.

4. H323 Extension Configuration
H323 remote extensions use non default settings and so cannot be setup directly using auto-create.  

a. Within Manager, add a new H323 extension or edit an existing extension.

b. On the Extn tab, set the Base Extension number.  

c. On the VoIP tab, select Allow Remote Extn.  

d. The other settings are as standard for an Avaya H323 telephone. Regardless of direct media configuration, direct media is not used for remote H323 extensions.

5. User Configuration
The following settings are used to specify that the user is allowed to use a remote H323 extension.  

a. On the User tab, set the User Profile to Teleworker or Power User.

b. Select Enable Remote Worker.  

 

Phone Configuration

The phones do not require any special firmware. Therefore they should first be installed as normal internal extensions, during which they will load the firmware provided by the IP Office system.

Once this process has been completed, the address settings of the phone should be cleared and the call server address set to the public address to be used by remote H323 extensions.

It is assumed that at the remote location, the phone will obtain other address information by DHCP from the user's router. If that is not the case, the other address setting for the phone will need to be statically administered to match addresses suitable for the user's home network.

 

thanks for clearing that up!!  you guys rock!!!

ok... so i have a public IP address on the FVS338....  so i just need to forward the ports to the lan address of the IPO...

what ports do i need to forward??? 1719,1720

do i need to forward any others?

thanks for you help so far...

Its just a remote phone not a VPN phone.

I think I get the part where I web the call server up address to the public ip address. Im. It sure about the STUN part of it. Do I need to put any special ip route in the IPO?

OK..... im lost....

dont know if i need another ip route....

any help would be great..

You need to forward 1719 (UDP) and 1720 (TCP) like mentioned above and the rtp ports ocnfigured on your lan port of the IPO (system -> lan x)
 

BAZINGA!

I'm not insane, my mother had me tested!

The RTP ports...... Are they the addresses that look like 49125-53246

Also the port 5005.....is that for the monitor program?

Thanks again for your help.  

Yes, those are the RTP ports (they carry the voice traffic) don't worry about 5005 it isn't required it's just for SSA to monitor qos stats which it gets completely wrong anyway

OK... i have set up the routes in the firewall, but now the phone is displaying...... registering, then goes blank..... it repeats this over and over.  i dont know if this means the IPO can see the phone or the other way around?

in SYSTEM/LAN1/NEWORK TOPOLOGY what type of "firewall/NAT" should i select?  im using a netgearFVS338

set the firewall type to "unknown" and the phone gives me....

discover 192.168.1.30(ip address of IPO)

then goes to discover xxx.xxx.xxx.xxx(external IP address)

normally with IP phones this means i have an IP route issue.  i thought with the remote phone, you didnt have to worry about this?  we do have IP phones in the office that are working...dont know if that means anything?

what does it mean when you get a blank screen?

when the phone is working, should you be able to see it in "Monitor" under the status of H323 phones?

i think i see the phone in "monitor" under status/H323.  the extension is 225 which i think i see?  in the "phone type" column it says "NoPhone".  the other IP phones show the model type....

 

i dont have the "discover" message anymore...

in monitor.... it shows extn 225 (the remote extn) and i can also see the ip address from my remote location (it looks like a public IP address).  it looks like the phone is connected, but im not getting anything on the screen of the phone.

the funny thing is, when i press the "menu" button on the 9630, all the options come up and i can see the all the settings i can change things like the contrast, ringing, ect....

I CAN FEEL IT.....IM ALMOST THERE!!

does this help any?  here is a little bit of what "monitor" says is happening???

4258321mS H323Evt:    Recv: RegistrationRequest   192.168.1.116; Endpoints registered: 3; Endpoints in registration: 0
   4262658mS H323Evt:    Recv GRQ from 43bb6d70
   4262658mS H323Evt:    e_H225_AliasAddress_dialedDigits alias
   4262658mS H323Evt:    found number <225>
   4262736mS H323Evt:    Recv: RegistrationRequest  67.187.109.112; Endpoints registered: 3; Endpoints in registration: 0
   4262736mS H323Evt:    e_H225_AliasAddress_dialedDigits alias
   4262737mS H323Evt:    found number <225>
   4262737mS H323Evt:    RRQ --- CallSigProtocol is H323AnnexL_P. Go for Avaya 4600IP phone
   4262737mS H323Evt:    RRQ --- Register extn 225 using product IP_Phone, version 3.186a
   4262738mS H323Evt:    <225> registered, ipo behind nat 1, phone behind nat 1

the last line...."ipo behind nat 1"  does this mean i need to do something with the STUN settings in IPO? if so, i would need some guidence as what to program....

Holy Crap!!! i finally got the phone to come up with its buttons and works great......except i cant get any dial tone or voice yet....

i have a DID set up for the extension and when i call it the phone rings like all is working, but when i answer the phone, i dont hear anything.

i tried to take off "allow direct media path" but that didnt work.

what else might i check?

SO CLOSE!!!!!!!!

That is usually down to the port forwarding not being followed or not configured correctly, at least when I have the same issue that's what it's been

you think its an "outbound" issue?

ok..... got it working!!!!!

i had to change the "firewall/NAT type" under SYSTEM/LAN1/NETWORK TOPOLOGY

i had to change to "static port block"

thanks for all your help guys.  this is why i love the site!!!!

Headcase69,

Thank you for coming back here and post your results & discovery.

All my "remote" phones are thru corporate VPN/MPLS,  but now I am tempted to experiment for remote home workers with release 8

This got my attention on goolge search. How about for the actual VPN set up - any docs I can reference? Network is not too much an issue just getting the station configured for VPN.

Thanks!

amriddle01,

Hi, Your page has helped me try and set up my 9608 sets and get them going but I am stuck-

I ahve done everything I believe that you have outlined on this post by my set comes up with the final status discovering xxx.xxx.xxx.xxx the server address and does not connect

One thing is that on the user ----On the User tab, set the User Profile to Teleworker or Power User. --The only setting I have is basic--

I have rls 8 have have set remote user

Any help you can give me would be appreciated--My customer is remote in Philly and wants to use her set to connect back to the server this week

Thanks,

Wayne

On my home router I had to default it and DMZ to the phone with a static address. At the customers house I just plugged it in and it worked. The problem is that residential routers have no standards which is why Avaya language is so vague in the docs.

piethief, I have had the same issues in the past. Problem is when I encounter this I have now started to plug one of our Mitel remote worker phones in and I have yet to find a router that it doesn't work with, no special config/DMZ required (they use the same method). I do this just to prove a point that it's Avaya's implementation of the process at fault not the customers office/home router

Hi amriddle01,

I have been trying to solve this all weekend and am getting frustrated--I have upgraded my customers office to a rls 8 xx they have 9608 sets (2) I have one of them at my office trying to get going remotely and can not--

I have had a commercial tech support tech look at my config and he says it looks good but can not tell me what is wrong--or why I can not connect

The set gets stuck in discovery of the server
The stun test is not working

Could I ask your assistance on this for a charge ?? I need it quickly as my customer is traveling to LA this comming week

sounds like you've managed to trick the NAT on that Netgear...

"b. If STUN reports the Firewall/NAT Type as one of the following, the network must be reconfigured if possible as these types are not supported for remote H323 extensions: Static Port Block, Symmetric NAT or Open Internet. "

this is how the RTP stream traverses your NAT. hence difficulties with no voice, just the signalling coming through, like phone ringing, showing in Monitor etc..
Did you forward the RTP range through to the IPO in the NAT/ Port Range forwarding section? just curious... the STUN client is quite useful for finding out what snags you'll hit (the flavour of NAT) with the various routers/NAT's out there. also be aware of routers that have ALG ability... they can be too clever for their own good. rewriting packet headers etc.

Cheers,

Chris

I'm having a similar problem. On the moniitor I repeatedly get the following:

1056493mS H323Evt: Recv GRQ from 442d6fbc
1056494mS H323Evt: e_H225_AliasAddress_dialedDigits alias
1056494mS H323Evt: found number <252>

If I look at the traffic monitor on my firewall I notice that the IP Office is trying t communicate with the remote 9611G using its internal address from the users home router. I'll use the following example IP addresses to explain:

9611G Home Router Internal IP: 1.1.1.1
Users Home Router Public IP: 2.2.2.2
IP Office Company Public IP: 3.3.3.3
IP Office Company Internal IP: 4.4.4.4

The firewall shows the following:

2012-10-29 16:36:45 Allow 2.2.2.2 3.3.3.3 1719/udp 46504 1719 2-External-Cable 1-Trusted Allowed 352 56 (AnyIPOffice-00) proc_id="firewall" rc="100" dst_ip_nat="4.4.4.4" Traffic

2012-10-29 16:36:45 Allow 4.4.4.4 1.1.1.1 49305/udp 1719 49305 1-Trusted 2-External-Cable Allowed 137 98 (AnyIPOffice-00) proc_id="firewall" rc="100" Traffic

As you can see, when the IP Office tries to respond back to the phone it is trying to contact it using 1.1.1.1 but it should be using 2.2.2.2.

Any ideas how to get this working? The Firewall being used is a watchguard XTM505.

Did you enable STUN?
Turned off H323 ALG in the Watchguard?

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged (Avaya Search tool http://tinyurl.com/bas1234 )
______________________________________

I'm not using the H323 ALG proxy in the watchguard. I'm using a custom packet filter for the NAT and port forwarding. As for STUN, I've tried a variety of settings and several STUN servers but nothing seems to work.

Do you use dynamic NAT or 1 to 1 NAT?
I think you need 1 to 1 NAT.
http://www.watchguard.com/help/docs/wsm/11/en-us/c...

Also try to setup ALG it might work better on a watchguard.
http://www.watchguard.com/help/docs/wsm/11/en-us/c...

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged (Avaya Search tool http://tinyurl.com/bas1234 )
______________________________________

I was aready using 1 to 1 NAT. I just tried the H323 ALG and it is still giving me the same issues.