MBG - no way audio?

[ucx]

I'm having issues witha customer's MBG setup in that, while the phones internally and externally (via MBG) can create a call, no audio is heard at either end during said call. I know that it's more often than not a routing issue for things like these, so I've gone over and over the port forward rules with the IT guys servicing this site (MBG is in server-only mode) but even with the ports forwarded correctly, there is still no audio.

The setup: 3300 ICP and MBG are on the same subnet behind a router with 2 WAN connections (and consequently, 2 IPs), neither of which is dedicated to the MBG. Rules in the router have been applied (apparently) to both WAN connections.

I have tried: turning local streaming on and off, putting the server in the DMZ, checking the configuration against known working sites, but still nothing. If anyone has any ideas at all as to what to look for next, I would be eternally grateful.

[ralph]

For some reason I'm uncomfortable with the MBG in the same subnet as the 3300 but I just can't put my finger on why.

Nevertheless, I'm thinking the next step is to (1) do a wireshark sniff of the MBG & (3) a wireshark sniff of the internal phone.   I don't think you'll need to work about the external phone.   I suspect you'll find that packets aren't going to where you think they're going.

The standard set up here should be the MBG in the DMZ.   If you have to NAT then it must be in server only mode.   I'd also consider putting that back in the DMZ.   You could also put it in server/gateway mode and bypass the firewall.  (I know, the security guys among us are convulsing just now.)  If you do that, remember that you cannot NAT.  The external IP must be assigned directly to the external interface of the MBG.

Ralph

[bobcheese]

ok so more info needed please:

MBG in server only (1 NIC) or server gateway (2 NIC) with the 2nd NIC being an internet connection.

Deffault gateway of the 3300 & also the IP sets (Via DHCP) as call setup is handled by controller but voice stream is set - set.

Settings from the advanced tab of the MBG server

[ucx]

Thanks for the replies, guys.
It's running in Serveronly mode because the customer freaked when I explained the server-gateway mode. The MBG in the server has only 1 NIC (it's vMBG if that makes any difference, but the physical server itself has only 1 NIC).

I managed to get into the router setup this afternoon and check out the port forwarding - it was, as expected, a shambles, so I wrapped most of it up in 1 rule: UDP 1024-65535. (Previously they had it split into chunks where they were missing a great deal of ports used for voice comms, why I have no idea).
I also tried to get into the advanced tab for you, bobcheese, and while I was in there, I saw the Network Profiles tab - one profile of which was labelled 'Serveronly mode - DMZ configuration'. The one I had previously selected and applied was 'Serveronly mode - LAN configuration'. I ran and applied the DMZ configuration profile and WHAM! calls came through, can hear both ways.

Thanks for the help, guys, I was planning on going on site (100km away from my office) tomorrow to sniff traffic and check the router 'personally' (only maybe using a steel bat) but it seems like it's working now. I blame this on bad instructions given by me to the server guys (really need to dummy down my requirements and not assume working knowledge on other people's part) and reading I&M instructions for releases out of date (damn you, Mitel course pre-requisites being tied to version numbers! ).

[brantn]

First off you break apart firewall rules to minimize the attack area opening that many ports you are a sitting duck there should be a list of ports that need open for the traffic coming in and going out these are the only ones that should be opened. You just opened 64000 ports to the outside world compared to 1000. The reason a dmz configuration is for just that it doesn't apply wan to dmz restrictions to it typically and segregates it from the lan. I am assuming that might be where the issue resides is that it is configured in the firewall for dmz and the rules are not setup to allow that traffic back from lan to dmz. I would highly recommend to fix your firewall change. It isn't and issue having MBG and 3300 on the same network.

[ucx]

In the Firewall section of the Technicians Handbook for MBG, it specifies the ports to open, and lo and behold, in there it says to open ports 1024 to 65535 for UDP to enable Voice Comms.
I wouldn't have done it otherwise, regardless of how secure the MBG is, but the manual says it needed that range open.

[brantn]

Wow thanks for the info. MBG is pretty secure as I have had pen testing done on it. That is a ton of ports to open that is why I have it on a dedicated wan.

[martyn]

First thing I would do in this instance would be to run the TNA tool and see what is actually listening and what isn't.

As for rules on the firewall, this is what I've used in the past and it has worked.
 

Code: [Select]

permit tcp any host xxx.xxx.xxx.xxx eq 443
 permit tcp any host xxx.xxx.xxx.xxx range 6801 6802
 permit tcp any host xxx.xxx.xxx.xxx range 3998 3999
 permit tcp any host xxx.xxx.xxx.xxx eq 6880
 permit udp any host xxx.xxx.xxx.xxx range 20000 31000
 permit udp any host xxx.xxx.xxx.xxx eq 5060
 permit udp any host xxx.xxx.xxx.xxx eq 5064
 permit udp any host xxx.xxx.xxx.xxx range 6806 6807
 permit tcp any host xxx.xxx.xxx.xxx range 36005 36007

[ucx]

Aha, I see now where I was mistaken.

The guide says to allow access from 1042-65535 from the MBG server to the internet and LAN, but 20000 to "configured upper bound in Advanced tab (SRTP)" (which is commonly 30000 I think) from the internet to the server.

My bad, I totally read that wrong. I'll be onsite tomorrow and I'll whip out the TNA and see what it's saying, see if I can pare down that range to something sensible. Thanks, guys.