Mitel UCA App setup

[Johnavt]

I have recently had a Mitel 5000 system installed. Replacing a Toshiba system.

For me one of the main purpose of upgrading to a new system was UC functionality  - the idea of a system setup and working around a user.
This included the using mobile devices and seamlessly moving from device to another - in or out of offices.

For mobiles I have the Mitel App that only works when I am in the building the phone is installed in - which is fairly pointless.
The option - after the installer spending days trying to work something out - was to use  VPN when outside the building.

On a practical note that is completely useless. Ever tried keeping a VPN up and running on a mobile - not to mention the fact that on most handsets the VPN stops when the phone is your pocket.  More to the point why am I even using a VPN?

It seems there are plenty of installers out there who know maybe 75% of what they need to setup a Mitel system but the other 25% eludes them.

When I called Mitel UK to discuss they said it should be setup with a MBG.

On this website various people suggest using methods such as VPN (been there suffered that) or opening up a firewall and using MAC filtering to do the security.
However, surely that is a half hearted method of doing something Mitel have provided a secure app do properly? 

In our case the installer left port 5060 open and it seems half of china attempted to break into the system. Sustaining near 100% CPU usage and making the system fall over on several occasions before someone in network security realized far too late that something was wrong.  A good practical example of why using firewall rules on a corporate network is not good practice.

So the question is - what is the Mitel approved method of using the mobile app off-network/remotely on the Mitel 5000 system.
I say Mitel approved because to be honest that is what customers pay for - they don't pay for half baked ideas and work arounds...!

[johnp]

I responded to your other post. Just to add, with MBG you can change the external versus internal SIP password for registration, also see that with they latest version that you can have different DN's, not that I have ever tried that.

[merlin02131]

Hey john

Any chance on getting that seperate response ? we are going to be enabling this as well . security is MY biggest concern as well

Thanks

Rich

[Tech Electronics]

Merlin02131,

Have your vendor install a Mitel Border Gateway (MBG) along with the 5000 and if they have problems setting it up then it may behoove you to come back and ask questions then. It all depends on your network makeup and security on how they will need to install the MBG, but it is a pretty straight forward process.

Thanks,

TE

[johnp]

To paraphase my other comment, The MBG has been around a long time for the 3300 and 5000 integration is ever improving. If not already I see in the near future that it's deployment will become the recommended method for the 5000 as it is currently for the 3300.

[Johnavt]

Got the MBG installed and working.

Installation company sent a different installer as I refused to allow the first installer back in the building.
I simply will not tolerate installers testing their skills on our system...!

The MBG gateway is installed - we installed it as a VM.  That seemed to install quickly and fairly easily.

External phones now provisioned as Teleworker.

Although ... we can use the mobile App to call into the system but if we call to the mobile extension it fails instantly:

Call cannot be completed     from the office phone (5340e)
Then the mobile instantly notifies a missed call ...

Looking in the logs it comes up with a 404 error between the Mitel 5000 and the MBG.
Installer spent a couple of hours trying to get this working but could not.
Then decided we need to upgrade the Mitel 5000 to the latest firmware/software.
Which we will do on the 26th June.

He thinks this will cure the problem - although I have my doubts given the track record!

Would seem to me to be a setting not correct somewhere but maybe he does not know where it is...

We are still getting very bad call quality being reported by many users on maybe 1 in 5 calls.

I have to say this has not been a very good experience so far with the Mitel 5000.

One last thing with regards to the MBG - I can see on th logs some idiot in France attempting to hack into the system.
I asked the installer if we could put the IP on a blacklist on the MBG so it always ignores it.
He said he does not think there is a blacklist function on the MBG - which I find hard to believe?....

[johnp]

I was testing a client and had both a remote phone and UC sip client working remote via the MBG and UCA server scenario. While the phone required a teleworker license, the sip shouldn't.

As to hacking the MBG, it will only allow what you program in the way of ports. I don't think Mitel has any blocking software. Possibly you could install fail2ban from contribs.org, You would likely have to find all dependantcies as MBG doesn't support YUM, but the underlying software is pretty close.

[sarond]

MAS is pretty much SME Server.

You could check this out.
http://wiki.contribs.org/Denyhosts

[johnp]

I run Denyhosts on my home SME and it works well. Fail2ban looks like it does more. I also run the Mitel certificate creation files from MSL since I like the native wildcard support in the self signed one generated

http://wiki.contribs.org/Fail2ban

[Johnavt]

Update this still does not work properly.

Installer updated the Mitel 5000 to latest firmware. It did not fix the problem.

They then found a setting ( I like the use of the word 'found') which enabled the internal phones to call the external UCA phones.

I then put it through a few test like ringing one UCA from another and they then failed.

Fix one problem - introduce another. Top quality this I have to say.

Installer now coming back onsite to try and work through the issues.  Which is what they should have done from day one until it actually worked 100%

[Rixy]

Hi Johnavt.

What was the outcome of this? interested to know for potential installations.

Cheers

[johnp]

If looking into blocking hack attempts, http://wiki.contribs.org/Firewall under the section Block incoming IP address will work to ban connections from the unclean.

[mitelengineeruk]

Me too. Let me know how things went.

The MBG to 5000 would have gone through a lot of testing so surprised on the issues. Possibly seems like issues with the company installing it and maybe not properly trained.

[johnp]

Being a vMBG, that makes it somewhat more difficult. I would assume the server-gateway mode would have worked when installed. I think you can now configure a virtual in this mode.

[IPInstaller]

We also install and use MiCollab with MBG on our HX/5000.

We initially had 404 errors when dialling out on MiCollab clients and this turned out to be the caller id needs to be in the caller name field instead as SIP uses this rather than caller id.

Not sure this will help but the more info the better.

If your installer can run a wireshark trace on the WAN port of your router/firewall your should be able to work out where the 404 is coming from.

Since we installed MBG on our system, Chinese attacks have stopped 100%. MBG is also used for our remote 53xx IP phones and works well. A good investment against not having one for five years!