Have you set up a VPN to the site with the BCM?

No Vpn, I can access our system server and program from offsite if necessary. I would prefer (if possible) to NOT have to set up a VPN for the remote users.  The plan for the remote users (salesman) would be that they could use thier phone from the "holiday Inn" and be able to connect to the system.  Hope this is possible.

Somehow I don't think so. The obstacle is that you must have an IP connection to get to you BCM. So, unless the remote user has an IP device there is no way for them to talk to you. You could make your BCM publicly available on the Internet but that's a bit silly, IMHO. If you did the remote user would still need an IP device to connect to the Internet and then some software to connect to your BCM.

On the whole - you're out of luck without going down the VPN + Softphone route.

Well I have "seen" this idea work.  I hired a BCM expert to help me program this BCM.  Everything was fine except for the IP portion.  His "ex-company" has a BCM running with IP clients.  Using his softphone, on one of my private networks, he could dial into that bcm, achieve connection, receive a DN, and make calls.  (at the time we did not recoginze that the voice path was only one direction, but that was due to the local firewall not being open on the 5000 range ports)  We did NOT have a VPN to their network, and we were connected behind a firewall.  Unfortunatly he cannot get the nesc information from his ex-company due to the fact that he no longer works there, and the terms of seperation were not kind.  According to BCM telephony manual, this is also possible.  What I don't know is if I can have the BCM ~only~ connected to the local lan, with the firewall pointing port requests to the BCM, or if I need to run a direct WAN (this location has a T1) into the second LAN port on the BCM.   Or if I even need a new hardware peice ( a WAN port) to apply to the BCM. (to my knowledge there is no WAN port on this unit).  The system is currently wired as (T1 --->firewall --->switch ---->BCM Lan1 port).  One idea is to go  T1 --->Split --> a) Firewall --->switch and rest of system   b) Lan2 port on BCM.  I appreciate the help so far, and I am devoting almost full time trying to solve this problem.  Please continue to comment.

The port forwarding should work but I know the Nortel stand is a VPN tunnel to the site and an IP Phone or soft phone.No form of security otherwise.

Have you made sure that you have ports 5000 and 7000 opened through your firewall?

I think VPN would be your best bet.  With NAT traversal capabilities on the Contivity, you've eliminated a lot of the "I can't VPN in from the coffee shop" issues.

The issue you may be having now is that your firewall may not support "bi directional" or "cone NAT".  Also, the BCM payload traffic happens on 28000-28512 (if I'm not mistaken), so those ports have to be allowed to pass through the firewall also.

In short, it can be done without a firewall, but do you really want your phone system sitting on the public Internet with it's VOIP side open?  I'd spend under $1000 and get a VPN device (around $800 for a Contivity 1010) and have your users connect to that.  Launching their 2050 from that point won't be an issue.

Just to update everybody on this issue, Part of the problem was with the ISP, part of the problem was with my setup within the BCM.  Just recently I have achieved Connectivity between offsite phones and the BCM.  Unfortunately if the offsite phone (be it 2004 or 2050) is behind a firewall I get no VOICE transmission.  This seems to agin point back to a VPN resolution.  It was previously mentioned that the Contivity 1010 is a good VPN router, is there a problem using a Linksys RV082 (Have 3 of these currently).  Thanks again for everyone advice.

Here is the info from nortel about the ports required for IP Phones.

Signaling between the IP telephones and the Business Communications Manager uses Business Communications Manager port 7000. However, voice packets are exchanged using the default RTP ports 28000 through 28255 at the Business Communications Manager, and ports 51000 through 51200 at the IP telephones. If these ports are blocked by the firewall or NAT, you will experience one-way or no-way speech paths.

Marshall

I've done remote IP phones over several different manufacturers products - they all do essentially the same things.  QOS can be a factor in a VPN/Internet environment.  Some VPN routers have QOS capabilities, some don't.  Of course, if you're spanning different ISP's across the country, QOS may not help matters anyway.  I like the Contivity platform personally (probably because my blood runs Nortel blue).  

Anyway, mrmarshall is correct - UNISTIM runs on port 7000, so your phone will register, but that's about all it will do if the other ports are not allowed through the firewall (and that would be a pretty darn big hole in any firewall).