Mitel Forums - The Unofficial Source
Mitel Forums => MiVoice Office 250/Mitel 5000 => Topic started by: jjordon on November 05, 2014, 03:01:16 PM
-
I have a phone registered but I am getting no audio.
Here is a list of ports I have forwarded to the system:
UDP 68-69
TCP 6800-6802
TCP 3998-3999
UDP 5004-5007
UDP 5060-6300
UDP 50098-50509
TCP 5666
I did forward 44000 to programming as well
If anyone can point me to what I might be missing, I would appreciate it.
-
If the phone is off site, make sure that the NAT Address Type (System > Devices and Features Codes > Phone >[ext]> IP Settings) is set to NAT.
-
JJordon,
Alright, so if all you have are SIP and Mitel 52xx/53xx style phones then all you would need open are the following ports.
UDP - Bidirectional
69 or 20001 TFTP
50098-50508 Phone Audio RTP
6004-6261 Base Processor Audio Receive RTP
6604-7039 Expansion Processor Audio Receive RTP
5567 Processor Call Control - General Purpose
5060 SIP
TCP - Bidirectional
6800-6802 MiNet
3998-3999 Switch Application Communication [SAC]
5566 Processor Call Control
5060 SIP
If you do not have an Expansion Card [PEC-1] on your Base Processor then you do not need the ports opened up for that. If you do have an Expansion Card, which would have to have its own Public IP address, then you would open those ports up for it. Keep in mind that you have to do this for both Public IP addresses.
If you need Database Programming and/or System Administration and Diagnostics [SA&D] to work as well then open the following ports.
TCP
44000 Secure Database Programming
443 Secure SA&D Web Interface <- I don't recommend opening this up for remote use
22 SSH <- I do not recommend opening this up without shutting it off in the system
If you have a networked system going through your firewall then you would need to open up the following ports as well.
UDP
6004 Base Processor Audio Receive RTP <- If you have remote phones this is already opened
TCP
5570 Processor Call Control Port
Thanks,
TE
-
Thank you Tech Electronics for such a comprehensive and succinct reply. It's amazing the various ports I've been erroneously advised to open.
Quick question though:
Why do you recommend not opening ports 443 and 22 for System Admin & Diag? We're relatively new and the 5000 and have gone out of our way to ensure we have access to the Sys Admin & Diag. Even going so far (not really hard) as to change the listening port on the 5000 when port 443 has been used by another server.
Additionally, why port 69 or 20001? Is one a secured version of the other? If not, what is the difference?
Thanks in advance.
-
I can speak to port 22....we had it opened to the outside for a while and it would get hammered by script kiddies...eventually our phone system would be so CPU-loaded that nothing would work.
Best way to do any administration (at least that I've found) is to use a VPN and access a Windows server that's sitting on your network...launch programming from there.
EDIT: As far as TFTP...port 69 is the normal one, but moving to 20001 can provide a small additional layer of protection as it's not the "normal" port. There is no "secured" version of TFTP that I'm aware of.
-
Anjo,
Allowing ports 443 and 22 to the outside world is not a good security measure especially if you are pre 5.1 or do not have the Shellshock Bug Fix. Port 443 is to allow someone to the web page portion and 22 allows them to the system OS, neither one is a good thing if exploited.
As for ports 69 and 20001 they both do the same thing for the IP Phones and therefore are interchangeable. If you are worried about people looking for an exploit then go with port 20001, otherwise stick with what is known to work.
Thanks,
TE
-
Sort of off-topic, but TE do you know what version of the OS fixed Shellshock?
-
Cholzhauer,
The fix can be applied to versions 5.1 and above, but it comes with 6.0 SP2 PR2 and PR3. If the system is below 5.1 it will have to be upgraded to get the patch or you turn off the web server portion of the 5000. Alternately you can setup the White List on the 5000 Web Server to block unwanted access.
The fix has been available for download for a month or so now along with documentation on the other two patches for customers not at 5.1+
Thanks,
TE