Avaya IP Office 500v2 SIP Trunk Behind Watchguard

[newatek]

We have been having issues with putting the IPO Wan interface behind Watchguard firewalls. We get one way audio on the Sip line. We are using Avaya approved SIP providers and always the answer we get to this issue from everyone is to connect the WAN directly to the Internet. We do NOT want to do this for security reasons. We have the IP Office SIP Trunks working when the WAN port is directly connected to the Internet. Does anyone have the recommended settings for putting the IPO Wan with SIP Trunks behind the Watchguard?

Thank You

 

[derfloh]

Normally it should only be necessary to have outbound connection to your SIP provider. We have one customer with three sites where call forwarding and twinning has no audio though.

Check your watch guard to disable SIP ALG or other VoIP help functions.

 

[IPGuru]

Who is advising you to connect the wan port directly to the internet?

you are correct not to do so

if this is advised for your IP O maintainer then I strongly recommend you start looking for a competent one as soon as possible.

Simple NAT should be enough for sip to work with no port forwarding.

check to see if the watchguard supports SIP-ALG if it does then turn it OFF!

also check the RTP keep alive settings on the IPO - this is especially important for call forwarding.




A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[newatek]

Thanks for the info. The SIP providers and distribution have told us this. Am I to assume that if I set the IPO Wan interface to the dmz behind the firewall I will only need to change the settings to reflect the new IP, check rtp keep alive on the IPO and then turn off ALG Sip on the firewall and it should work?

Wont we need to allow the IP range from our SIP provider through on the Sip required ports?

Thanks Again. I am astonished at the misinformation we have been given.

 

[nnaarrnn]

Even Avaya SEs will tell you to hook the WAN port directly to the internet for SIP trunks. (although it's stupid)

SIP from the local incumbent telco won't work without port forwarding. The provider initiates the connection, not the IP Office.

What I ended up having to do in our own office for the above mentioned SIP from the telco was connect the WAN port of IPO directly to the physical port on the switch provided by the telco for Metro-E/SIP, then setup the IPO firewall to only allow traffic to/from the telco's IP for our SIP, then I created a route in the IPO for WAN (LAN2) that only routes to the telco's IP.

Not how I'd like to do it, but after fighting with it, an Avaya SE came in and had me set it up that way. It's been that way for over a year with zero security issues. (knock on wood)

 

[newatek]

Great, that's what we have been using. I just found out the problem is not with the SIP Trunks, we get them to work fine without any problem. The issue is that with a twinned call it drops after 15 seconds because the source ip is from the DMZ not the external ip. What are we missing?

 

[Gunnaro]

The internal firewall works just as most other $200 firewalls.
The only thing we don't know is how much it can withstand and what happens to it when overwhelmed by attacks.

Keep in mind that it runs on the same resources as the telephony services of the IPO, I'm fairly certain that the firewall is in the lower part of the priority list.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[IPGuru]

NNaarrnn
SIP will work without port forwarding, I have many sites with sip & not one uses port forwarding.
restricting the routeing table & firewall settings will reduce the risk but will not eliminate it.

Putting the IPO in the DMZ is the same as connecting it direct to the internet - do not do it unless you want to be hacked!

if you find there is no other way then make sure your router only forwards data from the sip providers address & no others.

the best approach is to install an SBC but that is usually overkill.




A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[nnaarrnn]

newatek- That's going to be a routing issue

Gunnaro- I'm aware. I'd refuse to do it this way for a larger office

IPGuru- Our SIP trunk absolutely will not connect with inbound 5060 not opened. This is why our Avaya TAM eventually got an Avaya Systems Engineer into our office to assist, and how I have it setup is "Exactly how it should be without a SBC" according to him--who made the suggestions to set it up how it is now.

The provider ran fiber into our building, into a switch, and gave us one ethernet port for internet, and a 2nd ethernet port for the SIP trunk. That 2nd ethernet port goes directly into LAN2, with the IPO firewall only allowing traffic to/from the telco's endpoint, with a route to only the telco's endpoint.

Pain in the @$$ I know, but that's what the provider and Avaya came up with to make it work.

 

[IPGuru]

Nnaarnn

Are your sip trunks using registration?

if it is not using registration then you may indeed need to open specific ports *very carefully*, if this is the case I suggest you ask your sip provider to convert to using registration so that the firewall can be closed

(all of our installations use registration so port forwarding has not been required).


A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[Gunnaro]

Second that, IPGuru!

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[newatek]

Thanks to all, SIP trunks are up and working, Twinning as well. The only issue we had was twinned calls would drop after 12-15 seconds. This was resolved by turning on the firewall on the IPO.