Mitel 5000 UCA softphone outside office without VPN

[unclejemima]

Good day.

I'd like to be able to use our Mitel UCA softphones outside the office without VPN or Teleworker. 

Its easy enough to set up port forwarding on our router to access the Mitel 5000 (only have to open port 5060)...but to reach the Mitel MAS server via port forwarding is not so easy as we're not sure of which ports to open up.

Any suggestions would be greatly appreciated.

[akuhn]

Check out these two threads I was involved with back when I setup UCA outside of our 5000.  I ultimately got it to work.  Lots of ports to open, but at least I don't have to have ALL of the ports open.

http://mitelforums.com/forum/index.php?topic=2502.msg9609#msg9609

http://mitelforums.com/forum/index.php?topic=2509.msg9627;topicseen#msg9627

[unclejemima]

Thanks.

It was mentioned the incorrect IP address was listed in the PBX configuration of the UCA portion of the MAS server.  Can anyone tell me where and how to access this?

Also, it appears in thread http://mitelforums.com/forum/index.php?topic=2509.msg9627;topicseen#msg9627 that a whole bunch of ports need to be opened...but I'm not sure between reading the threads if this actually worked.

If so, does opening these number of ports offer a security risk?  Is it safer to use a VPN?  How does VPN reliability and security compare to the opening ports method?

Thanks!

[akuhn]

Check the PBX Nodes in the UC Blade on the MAS server for making sure that your UC is pointing to your PBX correctly.  There may be other areas on the MAS you need to reference the PBX, I can't remember.

But, yes those port openings work and I believe that the performance is better than using a VPN.  Especially since UCA is often set to load on startup, if it's reliant on a VPN, that would add further difficulty to require a VPN connection before loading UCA when outside of the office.

As to what's safe and what's not, I'm not a security expert.  IMHO, using UCA with ports open to the MAS - and just the MAS - is good enough.

[unclejemima]

Thanks. 

I hope I'm understanding this correct.  Right now I'm assuming everything is set up between the MAS and the PBX.  They are both on the same LAN and all softphones inside the LAN are working flawless.

Right now I assume I just have to port forward on our router so the softphone can access all the ports it needs.  Is this list then what I theoretically have to open and point to my MAS server?

3998-3999    TCP
5060        UDP
6004-6261    UDP
6604-7039    UDP
5004-5070    UDP
6800-6802    UDP
50098-50508    UDP
5566    TCP
5567    UDP
5570    TCP
4000    TCP
4000    TCP
44000    TCP
69    TCP
20001    TCP

[akuhn]

If that is the list from previous discussions, then that should do it.  Assuming the firewall you have is a "corporate level" type unit, you are opening the ports from the WAN to the LAN for just the MAS and nothing else. 

[johnp]

As Mitel moves forward, they will want a MBG as the internet front access point. You may want to get onboard for support sake. JMHO

[unclejemima]

Yes, I've heard they are pushing the MBG as well.

I might just go that way as well.

[Johnavt]

Using a VPN on a mobile app is something our installer "suggested" when they could not get the mobile app working.
This after they had spent 2 days scratching heads.
Using a VPN on mobile just to make it work as a soft phone for the 5000 system is a complete pain and not a practical solution.
It is what gets suggested when someone runs out of ideas - from experience.

Opening ports and forwarding opens up the system to hacking attempts and ultimately DOS attacks.  Which is exactly what happened to our 5000 system.
Ultimately bringing the system down.

We only had this installed in Feb 14. I was so unimpressed with the Mobile App functionality (i.e. being told to use a VPN) - then the firewall issues - that I contacted Mitel directly to complain.

Their answer was that the MBG should be in use. But then the installer is suggesting this has only been around for 6 months on the 5000.
I have to admit I am not sure who to believe.  I cannot understand why out of the box the 5000 in 2014 does not have a secure gateway built in for remote mobiles.

I will be getting Mitel and the approved installer on a conference call and will let them fight it out ...

[johnp]

I would use the MBG. I has been around for a long time for the 3300 and the support for the 5000 was recently enhanced. It will only get better and likely become a requirement for support.

One thing I would add is when troubleshooting remote UCA I find it best to use the desktop client. You can delete the log file prior to opening the application, and if it doesn't work, you can read the log for hints.

Just had a customer who after an upgrade of their vm UCA and MBG lost operation. I was able from the logs to resolve their issue. It ended up being a certificate chain issue, while the servers had a purchased wild card certificate, they needed an intermediate certificate.