×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address
10

Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Hello all,

Since we are locked down in quarantine, I have been messing with more Avaya Goodies - Specifically for remote worker support so I have began messing around with Avaya IX Workplace. Lets just start off by saying I am completely new to this offering and have never seen anyone set it up to reference.

So I am going off the .pdf and have some questions as I am following along.

Here is the .pdf I am following, starting on page 109 "Avaya IX Workplace Client Installation Notes(Equinox)"
https://files.engineering.com/getfile.aspx?folder=...

Below is the part that is confusing me. I do not see any further information in the .pdf in regards to what they mean with the below statement or the process to make it happen.

"The system's SIP Registrar FQDN must be set and must be reachable from external addresses. For Avaya Spaces this applies even if the Avaya IX Workplace Client users are internal to the customer network."

Otherwise, below is what I have done thus far. Any suggestions are greatly appreciated:

- Configured a Zang account
- Added us as a Company
- Added and Verified our Domain (entered in the verification code and added it as a TXT record to the DNS entries on our domain's DNS server)
- Created a new API Key and Secret Key and entered into the security settings of the IPO
- Logged into the IPO and set the following:



I have not moved any further in the document as of now.

Thank you.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
derfloh: Corrrect, not even sure what a "SIP FQDN" is or how to "Set up". Is it in the documentation? I do not see it.

Also, SSA was showing this:



ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
derfloh: I currently have the IPO LAN 2 SIP Registrar FQDN with the IP Address of itself.

The WAN is currently acting as the DHCP server for my J179's as well as where the SIP Trunk comes in.

The LAN is on our internal data network for One-X / Local PC Access to PBX



ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
derfloh: 5 years and aced my ACSS Exam, so I have some experience with the IPO. I am the only Avaya guy in my company so knowing everything is pretty much impossible haha.

The whole point would be to connect external (remote workers) - Currently using Communicator.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
derfloh: I am aware that an internal IP Address will not work.

When I was at Jenne for ACSS and we were doing exercises on the J100's, they had the SIP Registrar FQDN set to the IPO LAN IP Address, so I just assumed that was required for the J100's?

Guessing that was there for other reasons and all lab work was internal.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

The certificate warning is probably the connection to Zang, you need to import the certificate from Zangs webpage to IP Office if you want user zync to work, dunno why this isn't mentioned or why it isn't trusted as default.

"Trying is the first step to failure..." - Homer

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
janni78: Appreciate the info. Where can the certificate be downloaded from when logged into Zang? What is the process to upload the certificates to the IPO?

Clearly I have not yet dealt with Certificates or FQDN :)

How can you confirm what is actually connected and working? I am assuming I need to get this "public resolvable FQDN and a SIP domain" figured out before anything will work? Is this what connects the IPO to "Spaces" and then "IX"? What is "Zang" doing exactly?

Also not sure what to do here: "you need a valid certificate and a root CA trusted by the clients"

Definitely new to all this remote worker stuff. Previously we always just deployed VPN Phones.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

2
Open https:/accounts.zang.io with chrome, klick on the padlock, sho the certificate and download the issuing certificates GTA and Google.
Then upload the certificate to IP Office in security settings - trusted root certificate authorities.

As soon as you configured Zang user sync you IPO users will be visible in your Zang domain if you enable this. And Zang will automaticall know the URL of your 46xxettings.txt.

The IX Workplace clients connects to Zang, you will enter youe eMail address, Zang will know your domain, Zang will inform the client about the settings file URL. You have to just enter username and password afterwards.

You can also avoid Zang and just enter the settings file URL in the client app.

As soon as you use TLS encryption (and that's strongly recommended!) IP Office will need a server certificate, that matches the DNS name and SIP Domain the client connects to and the client has to trust the issuing CA of that certificate.

Even if without ASBCE this document gives good hints: https://downloads.avaya.com/css/P8/documents/10104...

If it's completely new, I recommend to ask someone to help you.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
derfloh: I definitely appreciate the detailed post. You clearly have been doing this a long time.

I am asking for some help/guidance here as the most knowledgeable people are here :) Star for you.

Anyway, one thing at a time. Back to the certificates. Which format does the IPO Need?

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I usually pick Base-64, both .cer formats probably work.

"Trying is the first step to failure..." - Homer

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
janni78: Thank you. Is the file name important?

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Hello all,

So I have made some progress just messing around with things

In the office (local LAN), I have everything configured where I just enter in my email address, extension and password and the app pre-configures and allows me to log in and take calls.



I have a subdomain created: ix.our_domain.com A record that is pointed to the Public IP Address of our firewall.

Using dnschecker.org I can see that the subdomain is resolvable to the public IP Address of our Firewall.

I will then Have my Firewall guy forward the specific ports and hosts listed in the document to the IPO?





At that point should the Workplace App work from anywhere outside of the LAN?

If so, great. The next step I believe should be the TLS Encryption, however I have never really messed with Certificates within the IPO. Is only a TLC Cert needed for the IPO. Is this manually created? Suggestions here would be great.

Thank you!

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Here's the step needed to make this cert work:

If you use the IPO as the certificate authority, then you need to download the IPO root CA and install it into your computer.

Then you need to create an identity certificate for the IPO itself.

Subject Name: hostname.domain.com (example iposrv.mycompany.com)
Subject Alternative Name: DNS:mycompany.com, DNS:iposrv.mycompany.com, IP:192.168.42.1 (internal IP of your IPO), IP:172.45.15.26 (external IP), URI:sip:mycompany.com

Make sure that you have a SIP domain and SIP FQDN configured in Manager under System/LAN1/Voip. The SIP FQDN must be the same you use in the certificate (obviously). I personnaly use the hostname of the IPO for the SIP FQDN like I showed above. This FQDN must be resolvable by DNS! In your internal DNS server, the A record for, say. iposrv.mycompany.com must point to the internal IP of your IPO. You'll also need to do the same thing on your external DNS server so that iposrv.mycompany.com is resolvable from the internet as well. This is what's called split-dns.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
JazzWizzard: I really appreciate the info! I will give it a go.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
We should be all set with the sub-domain being resolvable from the outside at this point.



ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Thanks to you dsm600rr and kudos to everyone else. With the current events I have been also exploring Workplace IX. I've been trying to get this working for months now. I was able to have it to work on my LAN and on VPN. Not sure If you got it to work outside your local LAN dsm600rr but was JazzWizard referring to this screen below:


Thanks in advance.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
I am back to re-visit. I am trying to understand the certificates and getting TLS Encryption working before we point our Internal DNS A Record to the PBX

So I have gone to IP Office Web Manager > Security > Certificates and Exported the Certificate - In which I Re-Named "WebRootCA.pem"



Does this cert get uploaded to the embedded file management primary folder? I also see a mention of folder: /SYSTEM/PRIMARY/certificates/TCS/ADD

I also understand I need to create an Identity Certificate for the IPO.

I have an Avaya IP Office PBX with VM Pro running on an application server. Within the voicemail pros Application Server Web Control > Settings > General I do see a spot to create the certificate however I am not sure if this is the correct stop (for example if the customer does not have an application server running, where would this certificate be created)?

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Does this look correct?



ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I think that we are stuck almost at the same level. Let me verify what I have.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

To start I don't have "Offer ID Certificate Chain" on. I'm sure our setup won't be identical but just letting you know how I have it.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I don't have documentation to configure VM pro in my notes

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I export 2 certs from The Web management that I installed so far on windows clients. For mobile devices (tested only with iphone) I was not necessary.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@ derfloh do you know if we are filling the IPO LAN fields correctly? I didn’t filled the SIP Domain Name nor SIP Registrar FQDN and my system is working fine in the office and VPN. I do have both checkbox checked SIP Trunk Enable and SIP Trunk Registrar. I can’t find any documentation really that could guide me to set this up from start to finish. I’m stuck to have it working outside of the LAN and VPN.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr. I think that you should have your softphones working on your LAN at least at this point.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@derfloh I forgot to mentioned that I already have that checked. See below. Do you know if it's required to fill the SIP Domain Name and SIP Registrar FQDN textboxes with the FQDN that I created. So far I want to say that I'm 50% where I want to be since I have it working on my LAN and on VPN for laptops and on an iphones. For some reason It's not working outside my network. It could be the firewall but I want to be sure that I'm not missing any configuration for the IPO. I'm basically had it work by searching and asking around, got some tech support too. But so far I didn't made any more progress.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Sparrow4 I have IX Workplace working perfectly internally - and auto configuring. This has been the case for months.

Where I am stuck is TLS and the certificates needed. I have read the documents many times - just cant get this part figured out.

I cannot get my vantage phone working internally. I get up to the spot with the screen showing the 3 people in the office looking at a laptop.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Sparrow4: yes you need to populate the SIP Domain Name and SIP Registrar FQDN Fields.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dms600rr now I get it.. yikes ok. I don't have Vantage Phone implemented. I don't think that it should matter but I'll see if I find anything. Do you have the workplace working outside your network? is that the reason why you need the to setup TLS and the certs... sorry for the questions I'm new to all of this.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Sparrow4: I do not. When doing so you need to enable TLS under the Layer 3 protocol.

The IPO will act as the Certificate Authority in which you need to download the Root CA. I believe I already did that however I am not sure.

I exported the certificate from here:



and renamed it: "WebRootCA.pem" per the documentation. I am not 100% sure where to place this certificate.

My next hang-up is creating an Identity Certificate for the IPO itself. This brought on a few questions:
1. I have an Avaya IP Office PBX with VM Pro running on an application server. Within the voicemail pros Application Server Web Control > Settings > General I do see a spot to create the certificate sure if this is 2. What if my customer only has an IPO and is not running an application server where would this certificate be created? I do not see anywhere within web manager nor the security settings to do so.
3. I am not sure if the certificate was created correctly in the first place:




ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr no progress on my end sorry. I'm still looking. I just ended up finding out that I also have to fill the "Network Topology" tab surprisesadeyessurprise. I wish there was a better documentation on how to set this up. Anyway I'll keep you posted.
Be safe.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Sparrow4,you can use a STUN server such as stun.counterpath.net to fill the information on that tap. You enter a STUN server and then press "Run STUN" and it will fill the public IP and the type of Firewall/NAT.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Thanks @JazzWizzard. Much appreciated. I'll push it during my off business hours.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Thanks @JazzWizzard, it doesn't seem that it made a difference. @dsm600rr nothing new on my end sorry. I'm going to see if I can create the new certs that should work with TLS. Have a great weekend.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Sorry no luck on my side @dsm600r. I enabled TLS not sure what's missing.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

2
Im gonna post a lot of stuff here, this is all in house guides I have written so my less experienced colleagues can get an idea on what is required for all these addons.

Equinox on IP500

There are 3 things that need to be configured for Equinox to work on an IPO



1. Certificate

2. Firewall

3. IPO



Certificate

For Equinox to operate via a TLS connection we need to assign a certificate to the system. This will usually be a SAN certificate and will need one entry for each site the customer has, plus one generic entry.

1. Site1.company.com

2. Site2.company.com

3. Site3.company.com

4. Company.com



In the above example the first three entries are the FQDNs used for the individual sites and the 4th entry is the generic Domain used across all the sites. Adding the licences to the system is the same as on our standard hosted systems.

Also please remember you will need to get the customer to setup DNS records so that externally the FQDNs resolve to the assigned public IP address for each site, and internally to the IP address of the IPO itself.



Firewall

The following ports will need to be NAT'd/Allowed through any firewall.

TCP - 443

UDP - 40750 - 50750 (this may be different depending on the NAT RTP ports set on the IPO VoIP tab)

TCP - 6060 - 6061



IPO

System->System

Ensure Use Preferred Phone Ports is unticked



System->LAN->Network Topology

STUN Server Address – Blank Out

Firewall/NAT Type – Set to Unknown

Binding Refresh Time (seconds) – Set to 60

Public IP Address – Set to Assigned Public IP

Public Port UDP – Set to 5060

Public Port TCP – Set to 5060

Public Port TLS – Set to 5061



System->LAN->VoIP

SIP Remote Extn Enable - Activate

SIP Domain Name – Set to company.com

SIP Register FQDN – Set to site.company.com

TLS Port – Activate and Set to 6061

Remote (UDP Port) – Set to 6060

Remote (TCP Port) – Set to 6060

Remote (TLS Port) – Set to 6061

Port Number Range (NAT) – Amend to 40750-50750



Certificate Part 2

Log in to the security settings page of the IPO and apply both the intermediate certs and the pfx to the system.

Go to https://site.company.com

Click on the padlock and download the certificate as a .cer

Save the certificate as WebRootCA.cer

At this point you need to amend the WebRootCA.cer to a WebRoot.pem

This can be done using an openssl session in Windows.

Run the session and ensure the downloaded certificate is in the folder highlighted on the openssl prompt.

Then enter the following command

openssl x509 -inform der -in WebRootCA.cer - out WebRootCA.pem

The file will be in the same location as the downloaded certificate.

Once you have the WebRootCA.pem file, log into the Embedded File Manager of the IPO and copy this file to the Primary folder.


We also came up with a lot of little workarounds to make live easier these include the following

R11 Changes - Required for Equinox and J Series Handsets


Go to https://client.voice.pinnacle.cloud:7071

Login

Go to Settings-->General

Scroll Down to Certificates

Click on Download (PEM-encoded)

Save this file locally.



Rename the file to WebRootCA.pem



Open putty

Connect to client.voice.pinnacle.cloud on port 22

Login with Administrator.



Type cd .. until at the top directory

Type cd /opt/ipoffice/system and hit enter

Type sudo chmod -R 777 primary and hit enter





Open WinSCP

Connect to client.voice.pinnacle.cloud on port 22

Login as Administrator

Navigate to opt/ipoffice/system/primary

Copy the newly renamed certificate into this directory.



Go to https://client.voice.pinnacle.cloud/46xxspecials.t...

Copy and paste the text into notepad

Find the following line

# J1X9SPECIALS

and then enter the following in the line below


SET TLSSRVRID 0

Save as 46xxspecials.txt



Open WinSCP

Connect to client.voice.pinnacle.cloud on port 22

Login as Administrator

Navigate to opt/ipoffice/system/primary

Copy the newly saved file into this directory.



Adding the SSL Certificate to the Server Edition
Download the certificate file from ConnectWise in Companies>Pinn>Configurations>*.voice.pinn.cloud>Documents
Extract the Zip file to a location on your PC. There will be 5 files.
Log in to the Server Edition with IP Office Manager and switch to Security Settings
Navigate to System>Certificates.
Under Trusted Certificate Store, Click "Add" and browse to the location where you unzipped the files earlier. Select the Intermediate.cer file
Under Identity Certificate, ensure that Offer ID Certificate Chain checkbox is ticked and then click "Set".
Check "Import certificate from file" and click "OK" and browse to the location where you unzipped the files earlier.
Next to the Filename, click the dropdown and select "Personal Information Exchange (*.pfx) and select the voice.pinn.cloud.pfx file and click "Open"
Enter the password
Click "OK" in the Security Settings and then Save. This will restart all the IP Office services.
After waiting a couple of minutes browse to https://{clientname}.voice.pinn.cloud:7070 and ensure that your browser shows the green padlock.

| ACSS SME |

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@Pepp77..... Dude that looks good. I'll try it over the weekend. Thanks a lot!

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Pepp77:

When I get to your step of:

Go to https://site.company.com
Click on the padlock and download the certificate as a .cer
Save the certificate as WebRootCA.cer

I have two certificates that show up:



No option to download as a .cer, only .pem




Why not just go to http://192.168.42.1/WebRootCA.pem and download that file?

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Because we are taking the ssl cert and amending it so the Avaya uses it instead of its built in one. Doing that uses the built in one.

| ACSS SME |

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Hi hope that all is well. @dsm600rr and Pepp77.
I can’t reach https://site.company.com. I can only use http. Thoughts?

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
I think I am making some progress.

Internally, if I go to my FQDN, It hits my PBX.




Externally, if I go to my FQDN, it hits my firewall:




So I sent my firewall guy the ports that need to be opened from the document:





Now he stated that he had to do some port forwarding as there were issues with ports 443 and 80

Now when I go to my FQDN externally the page times out. My firewall guy says he sees the firewall forwarding to the PBX and it is not responding.

Should I be hitting the Web Manager from outside my network with the FQDN or is that by design that it does not show the Web Manager Externally?

If I do a nslookup to my FQDN Internally, it resolves to the IPO

Externally it resolves to my firewall.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Sparrow4: Have you set up Split DNS? Internal DSN Server from: https://site.company.com to your PBX?

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

My external fqdn is timing out as well. Works great internally and on VPN. I'll look into that port forwarding. Also I don't know if it's by design but from what I understand, we have to access the http://mycompany.com/46xxsettings.txt and FQDN internally and externally.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I don't remember setting up split DNS. I'll look into that as well.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Sorry for the radio silence guys. @dsm600rr, Pepp77 is right. So I fixed most of my firewall issues. I'm able to have it to work inside, outside of my network without VPN. The problem that I have now is that, it won't work with the FQDN like before for some reason. I can only use my Private an public IP to register the clients. I'm getting an error message with the FQDN that is related with DNS which doesn't make any sense since it use to work on that same week when I was cleaning house. The error message is URI contains invalid FQDN. DNS failure. Like I said very weird I had it to work that same week and all of a sudden I get this message telling me that the DNS server is wrong -__- sadeyesponder

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I noticed on one of the screenshots you have sip domain and FQDN the same.
This is incorrect.

In your case, the correct way.
SIP Domain is pfcommunications.com
FQDN is ix.pfcommunications.com

In some cases I have seen, but have never tried myself.
SIP Domaain = The Public IP
FQND = The Public IP

Split DNS is the easy.
On your internal DNS server point ix.pfcommunications.com to the private IP of the IP Office
With your provider, create a DNS entry to point ix.pfcommuncaitons.com to your public IP address.

All that's left are the firewall ports, and correct network topology setting on the IP Office.

***URI contains invalid FQDN***<- your cert is configured incorrectly.

When you generate your cert, you need to enter this.<-double check for typos.. don't copy and paste.
DNS:pfcommuncations.com,DNS:ix.pfcommuncations.com,IP:the_private_ip,IP:the_pulic_IP,URI:sip:ix.pfcommunications.com,URI:sip:the_public_IP,URI:sip:the_private_IP

Regenerate and apply.
Download the root DER encoded ( the top buttons )
Download the Identity PEM. ( the bottom button )
Install on device.

When you view your cert, scroll down it should contain all the values specified.


RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Travis Harper:

The reason the SIP Domain and FQDN is: ix.pfcommunications.com is that points to our public IP. pfcommunications.com points to some public IP address that we do not own. I would assume its whoever hosts our website.

Should I update that anyway?

On our internal DNS Server, I believe I have it set up correctly. On a local PC, If I go to nslookup ix.pfcommunications.com it points to my PBX Internal IP Address

See Photos:

















DNS:pfcommunications.com,DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:173.XXX.XXX.XXX,URI:sip:192.168.1.251

























Where do these two get installed? Windows Certificate Store?



Which is the Identity PEM?









ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr, Travis Harper is right... I'm up and running.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@Sparrow4
Glad you got it sorted.
Sorry for the late reply.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
I have updated my: SIP Domain Name to: pfcommunications.com

Which is the Identity PEM? Please see my questions above. Would love to get this working after months of testing :)

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr... you are at the steps to install the certs on a Windows machine? Let me know so I can send you screenshots. Also I used to install 2 certs but now I only install one.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Sparrow4 - Yes I just am not sure which ones.

I Installed this one on my IPO:



And downloaded these two:

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

You need to install the root in trusted root certs, on your device ( Windows/Mac/IOS/Android)
But, hey install them both for good measure. Just make sure to trust them. This process varies depending on Device. I am a Mac user, so I open the cert in Keychain access app, and set to to always trust.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Travis Harper: Does your certificate SAN work as?:

DNS:pfcommunications.com,DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:173.XXX.XXX.XXX,URI:sip:192.168.1.251

192.168.1.251 is my Internal for the PBX

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Yes. You SAN line looks correct.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Not to confuse anyone please clarify why for both dsm600rr and myself @Travis H - derfloh - Pepp77 - JazzWizzard.
I understand that dsm600rr and I won't have the exact same config. in the example of a windows user:
1-In a browser from the windows PC I go to http://test.something.com:8411/WebRootCA.pem to download the cert
2- Search and find the downloaded WebRootCA.pem on the Windows machine, rename the file to WebRootCA.cer, then install it

That's how installing my cert is working for me. Should dsm600rr do the same?

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
My main confusions are:

Since pfcommunications.com points to some other public IP Address, guessing whoever hosts our website, should I be using that for the SIP Domain Name?

Or should I be using ix.pfcommunications.com for both the SIP Domain Name and SIP FQDN?

If so, should my SAN look like this:

DNS:DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:173.XXX.XXX.XXX,URI:sip:192.168.1.251

or This?

DNS:DNS:ix.pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr

The sip domain does not need to be routable to the IP Office.
Only The FQDN does.

How I had it setup and working...until recently.
my sip domain is tharper.ca which resolves to a web server I run internally and my public Ip Externally <-NAT firewall is port 80
my FQDN is sip.tharper.ca, which resolves to my IP Office internally, and public IP externally <- Firewall NAT rules in place and using IP office preferred ports so I don't conflict with port 80 on my web server.

DNS:sip.tharper.ca,DNS:tharper.ca,IP:192.168.0.242,IP:24.77.69.177,URI:sip:sip.tharper.ca,URI:sip:tharper.ca,URI:sip:192.168.0.242,URI:sip:24.77.69.177

Today, I do it differently. I have my LAN 1 directly connected to the internet, with the public ip. (its just a lab). My SAN is much smaller now with just 3 entries. DNS, IP, SIP on the public IP.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

For what its worth, I tear down and rebuild my IP Office at least twice a month. I've gotten pretty used setting it up.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr
try this maybe I have it like that
Can you try this
DNS:ix.pfcommunications.com,DNS:pfcommunications.com,IP: IPO Private IP on LAN1,IP: IPO Public IP on LAN 2,IP: IPO Public on LAN1
Make Changes accordingly
DNS:ix.pfcommunications.com,DNS:pfcommunications.com,IP:192.168.1.251,IP:

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
DNS:ix.pfcommunications.com,DNS:pfcommunications.com,IP:192.168.1.251,IP:173.XXX.XXX.XXX,URI:sip:ix.pfcommunications.com,URI:sip:pfcommunications.com,URI:sip:192.168.1.251,URI:sip:173.XXX.XXX.XXX







































IPO Connectivity:

WAN: This is my Voice VLAN, where the IPO Is acting as the DHCP Server, All my internal phones register, and My SIP Trunk comes in. The public IP Here is my Firewall for the SIP Trunk:





LAN: This is on my Data VLAN and where I have the SIP Domain / FQDN. The public IP here is an open one on our block.




ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Internally, if I ping ix.pfcommunications.com it resolves to my PBX on the Data VLAN



ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Cleaning up my notes to send them to you. Give me by tomorrow.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

The only thing I noticed from your screenshots is that IX Workplace is connected via LTE, and your ping screenshot is showing 192.168.1.251
If you put your iPhone on the same lan as the IP Office, does it connect?

From my location, if I ping ix.pfcommunications.com, it gets timed out.
Also, I can't browse to ix.pfcommunications.com/46xxsettings.txt

Connected over LTE will not work as it's configured now, regardless of how the cert is setup.




RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

one thing that also helped.
In the meantime
from IPO ping the IPO gateway subnet
from IPO ping internal DNS
from IPO ping 8.8.8.8
Those need to be successful
+++++++++++++++++++++++++


RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Travis Harper

"If you put your iPhone on the same lan as the IP Office, does it connect?" - Yes it does.

"From my location, if I ping ix.pfcommunications.com, it gets timed out." - Mine does as well. It used to show my Public IP, I wonder why it no longer does. If I do a nslookup it works. So does DNS Checker. Any ideas why this may be?

Internally if I ping ix.pfcommunications.com it resolves to my IPO

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Sparrow4

"from IPO ping the IPO gateway subnet"


"from IPO ping internal DNS"


"from IPO ping 8.8.8.8" **Not sure why this one shows the Voice VLAN 172.30.20.1 (IPO WAN) - Shows this when I tested with both the LAN / WAN**


ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I think as far as IPO goes, you are good.

FYI.. when I ping the domain, it does how the public IP and that means the DNS is working. No response or timeout means the firewall is blocking any type of response. The packet does not know where to go.

You just need to work on the firewall, so you register externally.
Are you using a Session Border Controller, or are you just doing Firewall NAT rules?



RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Travis Harper: I have a decent Cisco guy

Is there anything in particular I should pass along to him to do on the ASA?

"when I ping the domain, it does how the public IP and that means the DNS is working" - What are you pinging? Do you mean here:?



No SBC.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

It means the DNS sever is configured properly. The domain is resolving to the correct IP address. The ping is timing out because the ASA is not configured properly.
The ASA is blocking all packets from reaching the IPO.

Everything from this point on requires your ASA guy to do some work.

You need your ASA guy to forward port 5060-5061TCP to the internal IP Address if the IPO.
You will also need the ASA guy to forward the RTP range to the internal IP if the IP Office.

You will also need the ports 80 and 443 forwarded add well. If you have checked “use preferred ports” the instead of 80 and 443 forward 411 and 8411.

That should be all you need for IX Workplace.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Travis Harper:

"You need your ASA guy to forward port 5060-5061TCP to the internal IP Address if the IPO"

Roger that, 192.168.1.251



"You will also need the ASA guy to forward the RTP range to the internal IP if the IP Office"

Would that be these ports?





"You will also need the ports 80 and 443 forwarded add well. If you have checked “use preferred ports” the instead of 80 and 443 forward 411 and 8411."

I do not have "Use Preferred Phone Ports" Checked, so 80 and 443 forwarded to 192.168.1.251


ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Yes, those are the RTP ports. You need that or you won't be able to send audio. Those are UDP not TCP.
Also, yes, if you are not using the preferred ports, then you need to forward 80 and 443 as well.

Good to go.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
From my Firewall Guy:

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

A couple of things to check.
What does the firewall trace reveal for port 5060, 5061 for sip registration?

What is your network topology set up as In IP Office?
Do you have your external IP Address configured in Network Topology
What type of NAT is selected?
Also verify System/IPRoute is configured correctly. <- 0.0.0.0/0.0.0.0 (Gateway to get outside) LAN1/2 <- whichever one has access to Gateway.


RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Travis Harper:

What does the firewall trace reveal for port 5060, 5061 for sip registration? I will find out from him


What is your network topology set up as In IP Office?




Do you have your external IP Address configured in Network Topology Yes


What type of NAT is selected? Unknown


Also verify System/IPRoute is configured correctly. <- 0.0.0.0/0.0.0.0 (Gateway to get outside) LAN1/2 <- whichever one has access to Gateway.




ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Hi @dsm600rr
please take screenshot of current configs before making changes so you can revert back if needed.
you need successful ping from 192.168.1.251 to 8.8.8.8
Also your Voice network and the data are both on the same network?
I made changes to some screenshot se below.... @Travis H - Pepp77 - JazzWizzard can you fact check.
My configs are similar hopefully that can help dsm600rr. I'm sending more screenshots tomorrow for the Cert and firewall.

this was already configured on my LAN 2 I just want to point this out... I didn't touch this so maybe adding a STUN server was necessary.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Looks good to me, but then again, I never use LAN2, so your setup is new to me.
To me, the issues you are facing are network related. Either with the IP route on the IP Office, or your Cisco ASA Firewall config.

We know the when IX Workplace is on the LAN it connected and works as expected.
We know that when IX Workplace is on LTE you can not connect.

I know that when I ping ix.pfcommunications.com I get:
PING ix.pfcommunications.com (173.162.40.210): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

So we know that DNS is resolving correctly, but there is network issue preventing the pings from replying.
It's not just pings, because when I browse to ix.pfcommunications.com, the browser can not find the server. So I know that port 80 and 443 are also not responding.

Again I have never used both LAN 1 and 2 in my configs, so its possible you have an IP Route problem there. Packet hitting the IPO on LAN 1, and being told to go out on LAN2 but can't.. or vice versa.

Does 192.168.1.1 have access out the ASA? I ask, because your SIP registrar settings appear to be setup on the LAN 1 interface, but your public IP appears to be setup on LAN 2. This setup may be valid for all I know.. I've just never done it this way.

I have everything configured on LAN 1, and My IP Route is 0.0.0.0/0.0.0.0 192.168.0.1 LAN1 which is my routers gateway address.






RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Travis Harper

I apologize on the late reply and appreciate all your efforts! I have been moving since Monday and lets just say that was a major pain in the you know what.

I will try and explain my setup a bit better. I really would like to get this working.

LAN
This is where I am having IX Workplace Register.

This is also on the Data VLAN and Internal DNS Server VLAN.

This is also the same VLAN the ASA is handing out DHCP for the PC's as well as for IX Workplace.

The ASA has a Public IP of: 173.XXX.XXX.209

I have the Network Topology for the IPO to: 173.XXX.XXX.210










WAN

This is the Voice VLAN. I have the IPO acting as the DHCP Server for my J179's / Vantage Phones. I also have a SIP Trunk coming in on this VLAN.

The SIP Trunk I have using the Public IP Address of the ASA.












The thing that is getting me is when I ping Google out the LAN (Data VLAN) on the PBX, it shows it using the WAN (Voice VLAN)







ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I am not a networking expert, but I would say the problem is:
Workplace is registering to the LAN 1 Interface, but the LAN 1 topology public IP address ends in 210, which is different than what the CISCO ASA public interface is.

In my feeble brain, I would think the NAT rules need to be LAN private to CISCO Public SIP.

Travis

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Travis Harper

I changed LAN 1 Network Topology to the ASA and re-did the ping - Still tried to go out the Voice VLAN :|

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

when I ping it, its still ping ix.pfcommunications.com
PING ix.pfcommunications.com (173.162.40.210): 56 data bytes

Your CISCO ASA ends in 209.

At the end of the day, you will never get workplace to register from outside the network if you can't point the public interface 173.162.40.210 to 172.30.20.1, and the ASA has do that NAT translation.

When you can open http://173.162.40.210/46xxsettings.txt in your browser, you're on the right track.

Curious, what happens if you open http://x.x.x209/46xxsettings.txt in a browser. <- you Cisco SIP interface from screenshot above.

Travis

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Travis Harper

I switched it back to 173.162.40.210 after the Ping Test Still went out the Voice VLAN when pinging from the Data VLAN

http://173.162.40.210/46xxsettings.txt internally times out.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr

External name resolution:
ix.pf.communications.com resolves to => 104.247.82.52

Internal name resolution:
ix.pf.communications.com resolves to -> 192.168.1.251
+++++++++++++++++++++++
On LAN 1 under network topology change the Public IP to 104.247.82.52

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
@Sparrow4

its: ix.pfcommunications.com - You have one extra period after pf

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr I realize that now. Do you also own the ix.pf.communications.com? I don't think that it matters at this point. Also my DHCP is configured under LAN 1. Yours is under LAN 2. Was it always like this? If @ Travis and you are ok we can clear the IPO config one last time this morning and Monday all you'll have to do is make changes with your Firewall Tech.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Hello All. Just wanted to update this thread.

So I ended up moving everything that needs to get out to the internet over to our Data VLAN: 192.168.1.XXX (LAN)

That includes the SIP Trunk, Stuff for IX, Static Public IP and what not. This also is the IP Route out.

On the Voice VLAN: 172.30.20.XXX I have my internal phones and IPO DHCP Server Only (WAN).

After doing so, everything is working now. Certificates are both good on my iPhone and Home PC's

Thanks for all the help Gents. This was a long learning experience with Certificates, FQDN's, Split DNS and the list goes on!

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Glad to hear it! Yes, this thread was quite a ride for sure.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Noticing alot of this:








Rather than some of these hits being temporary blocked, can they be permanently blocked after a certain amount of hits?


Thoughts.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Yes, you can, sort of, at least as it applied to SIP.
It's not easy, and takes some trial and error.

Log into the IP Office edit the NoUser.
Add a couple SourceNubers. ( change the limit to your own value - Trial and error )
1. B_RATE_HIGH_LIMIT=20
2. B_RATE_HIGH_THRESH=2000

Sip messages that exceed the high limit over the time threshold limit will be permanently blocked until you manually remove the bock using the Monitor application.

Excessive SIP Traffic Blacklisting
IP address blacklisting can be applied when the number of SIP messages (all types) from the same address exceeds a set rate. The default rate is 100,000 messages in 100 milliseconds. Unlike the options above, this blacklisting can only be manually removed.

oThe following NoUser source numbers can be used to alter the use of SIP traffic blacklisting:

▪B_RATE_HIGH_LIMIT=X where X is the number of SIP messages allowed within the time threshold. Default = 500, minimum = 1, maximum = 100,000.

▪B_RATE_HIGH_THRESH=Y where Y is the time threshold in milliseconds. Default = 100, minimum = 100, Maximum = 300,000 (5 minutes).

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

There is another thing I do as well, that really cuts down attempted VOIP attacks.
I block port 5060/5061 and configure my IP Office to use a non standard ports for SIP.

I also change the SSH Port to something other than 22 as well, and block port 22.

I have been trying to play with the linux firewall, and installed fail2ban, and was going to enable GeoIP Country backing a, but I can't get that to work that has to do with firewallD or IP Tables in IP Office.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Travis Harper: Appreciate all the info

Are you just referring to the Remote Ports?

Where is the SSH Port?





ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Yep... @ Travis what alternate port can dsm600rr replace those with?

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

also after you replace them you need to link with your Firewall guy to update the rules on his end.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Sparrow4: Thank you. I just wanted to confirm those are the correct ports I am changing before I do so.

What are some good alternatives?

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address


I change them both on my system, not just remote.
5064 5065 are good alternates. It does not really matter as long as it's not 5060 5061.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

the ssh port is a bit tricky.

You need to ssh in to the IP Office, escalate to root, and edit the /etc/sshd/sshd_config file.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Travis Harper:

Thank you.

Look good?



ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Yup.
Don't forgot to update the firewall changes.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
So I updated the port in IX Workplace to 5065 and that is working perfectly, however it broke my SIP Trunk.

Firewall has ports 5060 / 5061 blocked and updated to 5064 / 5065

I updated the port here:



Thoughts?

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

try revert only send port to 5060, UDP and TCP port to 5060. Leave layer 4 protocols TLS to 5065, remote UDP and TCP to 5064, remote TLS to 5065. Public UDP and TCP to 5064, Public TLS to 5065.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

I think the default/ non remote UDP, TCP and TLS are for internal use. I wouldn't block those port specifically but just have the Firewall guy update the old rule from 5060 and 5061 with 5064 and 5065.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Yup. Once you change the ports on the IP Office, you need to change on the Sip Lines, and also with your sip providers.
I use DIDWW.com. So I log into DIDww.com account change my inbound sip trunk to use port 5069, since that is what my IP Offie listening on.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@Travis. dsm600rr shouldn't revert anything and make the changes you mentioned?

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
All,

Working with my firewall guy, we came up with the following:

Port 5060 is only allowing inbound traffic from our SIP Provider through

Port 5061 is Blocked

Port 5064 / 5065 are open for IX Workplace



ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

looks good to me

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

is it working now?

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Yes everything is working again. :D

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Nice

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
Just an update, updating the ports halted all outside attacks. Have not had one hit since the update.

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

upsidedown

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Right on. Security through obscurity. :)

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

Glad you got it working but your IP route was the reasoning that you were trying to ping with the LAN port but it was going out the WAN port(and why it wasn't working):

On the LAN port you have an IP Route:
192.168.1.0
255.255.255.0
192.168.1.1

On the WAN port you have an IP Route:
0.0.0.0
0.0.0.0
172.30.20.254

This means that anything not on the 192.168.1.X subnet will use the WAN port IP route.

The truth is just an excuse for lack of imagination.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

@dsm600rr

For security reasons you should not have 5060 opened on your firewall. I have noticed you Nat'd the external port to UDP 5064, this is still an unencrypted port which if anyone is listening on your network will see the Registration for these Sip clients username and password in plain text. Bots scan your external IP and all ports that are open, they will see this 5064 open and attack it, not as fast as port 5060 but it is a security issue that you should resolve.

Use the encrypted port 5061 TLS, external port 5065 TLS, people above and loads of other threads have explained exactly how to install the identity certificate for the Sip clients.

If you don't believe me, run a Network scanner against your public IP and you will see the results.

When you are creating the certificate have both the DNS names in the certificate.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
bahmonkeys: we have 5060 opened only for two IP Address from our SIP Provider.

Can you elaborate a bit on exactly what I should update. Is this just in reference to:

Remote UDP Port: 5064
Remote TCP Port: 5064

Public Ports:
UDP: 5064
TCP: 5064

ACSS

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

You changed the ports on the Avaya IPO but did you block them on your edge router.

You use SIP Providers, Lock down the port 5064 to the SIP Providers public IPs on your Firewall and block port 5060 and 5064 UDP/TCP.

For IX Workplace registration, use port 5061 TLS for external access.

This is a public forum and you shouldnt have shared your DNS records, anyone can scan your public IP and find these ports opened. Look into GEOIP filters and create security layers.

RE: Avaya IX Workplace Help - SIP Registrar FQDN must be set and must be reachable from external address

(OP)
bahmonkeys: Like this?



ACSS

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close