Port forwarding for 5xxx IP phones

[jjordon]

I have a phone registered but I am getting no audio. 

Here is a list of ports I have forwarded to the system:

UDP 68-69
TCP 6800-6802
TCP 3998-3999
UDP 5004-5007
UDP 5060-6300
UDP 50098-50509
TCP 5666


I did forward 44000 to programming as well

If anyone can point me to what I might be missing, I would appreciate it.

[TheQueen]

If the phone is off site, make sure that the NAT Address Type (System > Devices and Features Codes > Phone >[ext]> IP Settings) is set to NAT.

[Tech Electronics]

JJordon,

Alright, so if all you have are SIP and Mitel 52xx/53xx style phones then all you would need open are the following ports.

UDP - Bidirectional
69 or 20001   TFTP
50098-50508   Phone Audio RTP
6004-6261   Base Processor Audio Receive RTP
6604-7039   Expansion Processor Audio Receive RTP
5567      Processor Call Control - General Purpose
5060      SIP

TCP - Bidirectional
6800-6802   MiNet
3998-3999   Switch Application Communication [SAC]
5566      Processor Call Control
5060      SIP

If you do not have an Expansion Card [PEC-1] on your Base Processor then you do not need the ports opened up for that. If you do have an Expansion Card, which would have to have its own Public IP address, then you would open those ports up for it. Keep in mind that you have to do this for both Public IP addresses.

If you need Database Programming and/or System Administration and Diagnostics [SA&D] to work as well then open the following ports.

TCP
44000      Secure Database Programming
443      Secure SA&D Web Interface <- I don't recommend opening this up for remote use
22      SSH  <- I do not recommend opening this up without shutting it off in the system

If you have a networked system going through your firewall then you  would need to open up the following ports as well.

UDP
6004      Base Processor Audio Receive RTP <- If you have remote phones this is already opened

TCP
5570      Processor Call Control Port

Thanks,

TE

[anjo]

Thank you Tech Electronics for such a comprehensive and succinct reply.  It's amazing the various ports I've been erroneously advised to open.

Quick question though:

Why do you recommend not opening ports 443 and 22 for System Admin & Diag?  We're relatively new and the 5000 and have gone out of our way to ensure we have access to the Sys Admin & Diag.  Even going so far (not really hard) as to change the listening port on the 5000 when port 443 has been used by another server.

Additionally, why port 69 or 20001?  Is one a secured version of the other?  If not, what is the difference?

Thanks in advance.

[cholzhauer]

I can speak to port 22....we had it opened to the outside for a while and it would get hammered by script kiddies...eventually our phone system would be so CPU-loaded that nothing would work.

Best way to do any administration (at least that I've found) is to use a VPN and access a Windows server that's sitting on your network...launch programming from there.

EDIT: As far as TFTP...port 69 is the normal one, but moving to 20001 can provide a small additional layer of protection as it's not the "normal" port.   There is no "secured" version of TFTP that I'm aware of.

[Tech Electronics]

Anjo,

Allowing ports 443 and 22 to the outside world is not a good security measure especially if you are pre 5.1 or do not have the Shellshock Bug Fix. Port 443 is to allow someone to the web page portion and 22 allows them to the system OS, neither one is a good thing if exploited.

As for ports 69 and 20001 they both do the same thing for the IP Phones and therefore are interchangeable. If you are worried about people looking for an exploit then go with port 20001, otherwise stick with what is known to work.

Thanks,

TE

[cholzhauer]

Sort of off-topic, but TE do you know what version of the OS fixed Shellshock?

[Tech Electronics]

Cholzhauer,

The fix can be applied to versions 5.1 and above, but it comes with 6.0 SP2 PR2 and PR3. If the system is below 5.1 it will have to be upgraded to get the patch or you turn off the web server portion of the 5000. Alternately you can setup the White List on the 5000 Web Server to block unwanted access.

The fix has been available for download for a month or so now along with documentation on the other two patches for customers not at 5.1+

Thanks,

TE