R9 and H.323 Remote extensions

[MammerJammer513]

I hate asking for help, but I've stared at this one long enough. So, I'm asking for some help from those who have been successful in getting Avaya 9608 or 9611G IP phones to connect over the internet to an IP Office 500 v2. We have two remote workers that we want to be able to have an extension at their homes and connect to the PBX using 1 of 2 methods: Configure static public IP address for PBX into handset and connect over the end user's home internet connection, or install a router/firewall at the end user's home and configure an IP-sec VPN connection to HQ and accomplish the goals with VPN routing. To clarify, I'm not referring to Avaya VPN firmware, but 3rd party router to 3rd party router IP-sec VPN.

Currently the IP Office is connected to the corporate LAN with a single private IP address. The LAN2 port is not used. I have had limited success by creating NAT and firewall rules within the corporate firewall to forward all traffic at a public IP address to the IP Office's private IP. The remote extension hits the HTTP server and downloads the settings file, shows the line appearance screen briefly as it tries to register, then it goes to a discover screen where it displays the private IP of the PBX and then hangs. I know it's contacting the call server, otherwise it wouldn't know this IP. I'm curious about what would happen if I changed that private IP to the public IP...

Do I need to enable the NAT checkbox on LAN1 interface? Do I need to configure an IP Office firewall profile? It's frustrating because I can access the web interface of the IP Office or ping it from the public IP. It seems like this is a simple NAT issue, but I can't close the distance on that last 10%

Any useful/constructive comments are welcomed.


Thanks,

David

 

[chrisag]

Go to lan1 - network topology and put your public ip address there.

 

[MammerJammer513]

Chris,

Thanks for the reply. I haven't tried that because I guess I assumed that would work. Ideally, I'd like keep the the NAT translation in the configuration for some added security.

I'll re-IP the control unit with the public IP just to confirm that if I basically DMZ the PBX Imy remote extensions register. That is a good idea just to test all the components before layering in a little security.

All that being said, we get hit with our share of random DDoS attacks from China. I need to get the PBX behind the firewall with some filtering before I'd be comfortable calling it finished, so ultimately I'm left solving the NAT issue anyway.

Thanks,

David

 

[IPOLackey]

Don't assign a Public IP to the IP Office unless you want a massive phone bill next month.

General opinion here is that Remote H.323 phones are not stable or all that good, and it's better to use the VPN client on the phone to create a tunnel and connect.

If you are adamant on getting Remote H.323 working then provide your Firmware. There are a few different settings to check (Including H323 Remote Extn Enable)

 

[MammerJammer513]

Well, Chris, I put the public IP on the Network Topology tab as you suggested and I get the same results. The phone boots up and says contacting call server, I get the line appearances, then it goes to "discover" public IP, then "discover" private IP but never finishes.

IPOLackey: - I am open to a VPN config, whether it's using the Avaya hardware or 3rd party VPN hardware. The IPO is running 9.0.3.0 build 941. If you can get me through the high points of the VPN config, I'd totally be up for trying, but I believe I need a VPN license I currently don't have, unless that is part of the included Teleworker licenses.


David

 

[amriddle01]

You need a router at the system side that supports VPN tunnels and one at the user end, build a tunnel between those 2 devices. The IPO isn't involved in this process at all.
Using port forwarding for remote phones is both dangerous and unreliable and best avoided, as you have found it often just doesn't work and it's usually the routers involved causing the issue not the system, so no amount of system config helps

 

[chrisag]

Which ports did you forwarded to the ipo.
Did you enable remote worker on Lan1 and in the user tab.

 

[mojoputter]

What you said "install a router/firewall at the end user's home and configure an IP-sec VPN connection to HQ and accomplish the goals with VPN routing" we have done this with several customers. Works best for us

 

[MammerJammer513]

@ amriddle01 both appliances are carrier grade commercial firewalls. ZyXEL USG100 local and USG50 remote. We aren't trying to use consumer grade hardware. I've encountered what you're describing with low-end routers only supporting limited VPN pass-thru.

Forwarding.. I'm not in the office at the moment but I know I created port-forwards for ping, http/s, 1718-1719 tcp/udp, and the upper 49000-ish range.

What's curious is that the forwards only seem to work when I create a policy route SNAT to keep the outbound interface address.

@mojoputterI've successfully built an IP-sec VPN tunnel with the PBX behind our firewall and the 9608 behind a similar but smaller firewall on a separate Internet connection.I can ping the PBX from the remote side and pull up the PBX Web interface. From the local side I can ping the 9608. Other than that it just doesn't seem to find the PBX on boot.


David

 

[MammerJammer513]

@ Amriddle01 So, I have gone back to the VPN config. I have a ZyXEL USG100 at HQ configured for an IP-Sec VPN tunnel using Static IP on the Local side and Dynamic Peer IP for the Remote ZyXEL USG50 that is on the remote end. The tunnel is nailed up and I'm able to ping across the tunnel to nodes on either subnet. The strange thing is, the phone doesn't see the PBX at all this way. It never contacts the call server or pulls down the 46xxsettings.txt file like it does when I am going out over the internet directly to the public IP.

I will admit, I'm a little confused about that. The Default IP-Sec VPN rule on my firewall is default allow all both ways. I can ping across the tunnel, I can open web interfaces across the tunnel, I can move files across the tunnel. That being said, when I ping the IP Office across the tunnel it doesn't respond from the remote side but responds fine from local.



David

 

[MammerJammer513]

OK.. So, new wrinkle. I added a static route in the IP Office to route 0.0.0.0/0.0.0.0 to 192.168.1.254, which is my router/default gateway on the HQ LAN. The very second I did that, the Remote 9608 registered and came online. I've made calls across the connection and voice works both ways and sounds just fine.

The issue now is, Avaya Manager no longer finds my IP Office on the LAN. I have a config backup, so I'm not really worried, but I guess I want to say both YAY! and Crap.. Any idea how to get configuration access back without breaking the remote phone?


David

 

[MammerJammer513]

SOLVED!!

The PBX just needed a reboot. VPN is up, phone is registered, calls are working as intended and the PBX shows up in manager.

Thanks for the input to nudge me to the right path. I'm very satisfied with the solution that keeps these phones and the PBX behind a firewall.


David

 

[amriddle01]

Cool, that was like the Tek-Tips equivalent of watching a new born foal learn to walk