How to setup a 5320 to work outside of the LAN

[unclejemima]

Because the Mitel 5000 is IP based, I would assume I can take a phone (5320 in this example) and move it to a location outside our LAN and have it function identical as if it were inside the building.

We have a Static internet connection at work, what I would assume is necessary for this to function reliably.

Can anyone tell me what is required to make this work?  I'd imagine we have to open up some ports on our firewall to allow the phone to connect to the mitel 5000 unit.

How well does this work when outside the LAN?  What sort of bandwidth is needed for this to function without serious latency?

Any advice would be appreciated.

Thanks,

[NTEDave]

Set the system NAT IP Address in your system to your external address. This is in two places, under IP Settings and IP Connections then processor module.

Open these ports in your router and point them to the internal address of the 5000:

3998-3999 TCP
4000 and 44000 TCP (If you want to administer the system remotely)
5004-5007 UDP Range
5060 UDP (Not needed for IP endpoints but sometimes needed for SIP Trunks)
5566 TCP
5567 UDP
5570 TCP
6004-7039 UDP Range
6800-6802 TCP Range
20001 UDP
50098-50508 UDP Range

In programming for the phone you want to move outside of the LAN, set the NAT Type to NAT under IP Settings. On the phone program the external address for your site under ICP IP address and TFTP Server and you should be good to go!
 

[acejavelin]

All of these ports do not need to be opened for just Mitel phones, the ports needed are clearly laid out in the manual.

The port ranges needed for Mitel phone Voice Traffic are: 69, 20001/UDP; 6800-6802/TCP; 3998 and 3999/TCP, 50098-50508/UDP; 6004-6261/UDP

(The other ports mentioned in the previous post are for various networking and Inter-Tel branded IP phones)

Then set the phone programming in the 5000 IP Settings to NAT, and in the phone boot and hold 7 to put the phone in Teleworker Mode and set a New IP address of the public IP that is routed to the phone system.

You also need to set the NAT IP address properly in two placed in the 5000, go to System->IP Settings and set the System NAT IP Address to the public IP address mapped above, and in System->Devices and Feature Codes->IP Connections->P6000 set the NAT IP Address to the same public IP.

Ports needed to administer the system remotely will vary somewhat by software revision, older system use 4000/TCP for programming and newer systems use 44000/TCP, all systems use 443/TCP for Admin Web Page access and 22/TCP for telnet access to low level functions.

Bandwidth usage will vary based on the Codec used, the default G.711 uses about 90Kbps (bi-directional) for a voice call, and G.729 uses 35Kbps... the bandwidth is rarely an issues, latency and delay are the big problems with VoIP on remote phones. Changes to this are made based on the Call Configuration assigned to the set.

[unclejemima]

Thanks guys.  I will give this a try.

We have a traveling salesperson who wants to use his 5320 while in hotels and also while at his remote office.

Is there there any security issues while using the 5320 on hotel internet?  What about from the remote office?

I've heard some people pre-configure a router to go along with the phone to give more secure connection with VPN or similar?  Can anyone offer any advice on this?

Thanks again!

[acejavelin]

If you setup a travelling VPN router, then none of the above configuration is needed, just put the phone in Teleworker mode and enter the LAN IP address of the 5000 and you should be good to go, in theory anyways, I have never tried this.

There are not any real security issues well traveling, unless you are concerned someone might packet capture the phones data and decrypt the audio stream which is highly unlikely... Note that some public access firewalls or Internet access controllers might not allow all the ports needed through so the phone may not work in some hotels, coffee shops, etc. but most of the ones I have been in work fine. In the remote office, where it is likely just a SoHo router there isn't really an issue. Beware of opening up port 5060 in your firewall though, hackers love that and will try to get credentials and make calls, but the security on the Mitel proprietary phones is pretty good and shouldn't cause any concern (MAC based and phone type match).

[unclejemima]

If you setup a travelling VPN router, then none of the above configuration is needed, just put the phone in Teleworker mode and enter the LAN IP address of the 5000 and you should be good to go, in theory anyways, I have never tried this.

If I try the above method, would i not have to open any ports on my firewall (on the 5000 system end) or would I still need to open 69, 20001/UDP; 6800-6802/TCP; 3998 and 3999/TCP, 50098-50508/UDP; 6004-6261/UDP?

If I can do this without opening ports, then this would be better as our boss hates when we open ports that are not needed for obvious reasons.

[acejavelin]

A VPN router that is configured properly and talking to your main site's VPN host would create a VPN tunnel, all ports would be "open" between your remote network and the 5000's network... It would be like you were in the same network, so if you would point the 5320 at the internal IP address of the 5000 and it talks through the VPN tunnel.

[NTEDave]

Would the salesman not be better off with a Softphone on his laptop or a SIP client on his mobile (if supported)

Much easier than carting around a router, 5320 and the various PoE injectors and power supplies they would require.

Then the mobile phone or his laptop could create the VPN.