Program mivoice 250 remotely

[Enobaham]

I want to be able to program MiVoice 250 remotely. I have a few clients who are a few hours+ away which makes traveling to them for simple programming changes a pain.

I know I need to do something with NAT addresses, but I am fairly new to NAT so I was wondering where I get my NAT address from or do I just make one up? (some 172. address?)

I know there is also something I need to do on their router. As far as I know I would only need to open port 44000 since all I want to do is access DB Programming.

I just want to be able to login to DB Programming remotely.

I also saw something called Remote Configuration Settings (no, I did not make any changes in here, I just looked). Would this have anything to do with remotely accessing DB Programming?

[RLyon]

Besides the porting, I believe you just need their external IP and put that into your settings

[acejavelin]

Remote programming on the MiVO 250 is pretty simple... 1 port is all that is really needed, 2 make it nice, 3 makes it super nice...

Port 44000/TCP is all that is really needed to program a MiVO250, but the system administrator and reporting won't work without 443/TCP (we often change this to 8443 or 65443 to avoid customer network issues), those two make a nearly local programming experience. Port 22/TCP is SSH for the terminal diagnostics, but I don't recommend using this unless you can lock it down to a specific IP address or range for the source as having it open to the public can be dangerous.

So basically you need to know the customers IP address or DNS/DDNS name, and have 44000/TCP and 443/TCP port forwarded in the router to the MiVO250's internal IP address and you can do 99% of everything the customer would ever need. If you have any questions about how to implement this specifically, feel free to ask... Many of us here have this setup with hundreds, even thousands, of systems and for many of us it is a standard part of the installation process.

[Enobaham]

Ok. It sounds very simple. I am going to repeat this back so I can make sure I understand.

I need to know the cx routers public address. (yyy.yyy.yyy.yyy)

I port forward ports 44000/TCP and 443/TCP to the MiVoice internal address (xxx.xxx.xxx.xxx)

Then on my own computer on my own network I type cx routers public address (yyy.yyy.yyy.yyy) and boom I'm in? I assume I would type it like so yyy.yyy.yyy.yyy:44000 or would I want :443?

I do not have to set a NAT address on the MiVoice 250?

If it really is this simple I will be making this a standard practice here as well. Some clients require us to take a ferry to come on site, so this would save our lives.

[acejavelin]

It's even simpler than that... In the Mitel System and Diagnostics software, go to the connections and there is a spot to tick for remote access, and put that external IP address in there. Then there will be two entries for that site, one for local and one for remote. Just select the one you want.

[Tech Electronics]

Enobaham,

If you plan on making that a part of your installation practices then you need to make sure that harden the system as much as possible.

At a minimum go to System > IP Settings and set the Listening Port Unsecured Enabled to No and then go to System > IP Settings > Web/SSH settings and change the Port numbers required for Web and SSH. Also, if you don't have a PS-1 I recommend shutting down SSH until you need it. Depending on the software version there are some security concerns with SSH and known hacks.

If you want to continue with making it harder for others to compromise your systems you can change the port used for DB Programming as well.

There are some security documents by Mitel to help secure you system so I would recommend reading and implementing those as much as possible to protect your customers and your company.

Thanks,

TE

[acejavelin]

As Tech Electronics said, but the BEST way to harden this is restrict the source IP's for port forwarding... Restrict the port forwarding to only allow your company IP(s) to access it, we do this all the time... Our two locations use two public IP address ranges, we just restrict the port forwarding to only coming from those two ranges and everything else is rejected. Most enterprise grade routers can do this with very little difficulty. This all just goes back to basic network security... Remember you are not dealing with a home network in this case, harden it like an enterprise or you will likely regret it later.