uca, mbg, awc, nupoint what port neet to open in firewall?

[maxcheung]

I set up a server1 for mas(AWC,MBG[teleworker],nupoint), server2 for UCA, they have been pleace in same subnet with 3300 and behind the firewall.
Q1, if i need to provide those service to internet user, witch port i need to open on firewall ? i alredy open 443 for AWC.
Q2, i try to use UCA outside the office, when i setup it teleworker mode, the uca alway say failed to get certificate. Am i missing some port to open? or some setting is worng?
Q3, If i need to make this service work , as i see in mitel docs, i need 2 true static ip for them, can i only provide one ip to make them work?

Thank you. 

[bluewhite4]

For question 1, see the engineering guidelines for the various components. I know they have them for Teleworker/MBG, AWC, and unless you really want NuPoint management to be accessible from the outside it doesn't need to be. If you don't have access to those docs, let me know and I should be able to look all that up.

For question 2, for UCA to work outside the office, it has to be setup with a certificate through a MBG server and will burn a MBG license when in use. It will request said certificate, and then within the MAS's server-manager section, you can view/approve requested certificates. This is covered in the UCA docs I believe.

For question 3, unfortunately you need two static Ip addresses. Its a requirement that can't be gotten around. Additionally, the AWC's static ip address has to be larger than the other address. (As in the AWC would have to be 192.168.1.10 or higher if the other address is 192.168.1.9)

[maxcheung]

thanks for your help.

1, I find the awc menu, internet ip 1( port 80,443) --> server1 (192,168.1.25), internet 2 port 4443 --> server1(192.168.1.25), but i don't know what is the purpose to user 2 internet ip, can it work in one internet ip? like internet ip 1(port 80,443,4443) --- server1 (192.168.1.25).
also i realy can't find UCA port setting, Can you give me some suggestion.

2, i got a Approved certificate in MAS certificate management, Did i have to open a port for getting certificate?

3, Why the AWC ip need higher? coz i am alredy set it and send send to coustomer site.

Thanks again.

[maxcheung]

also have a question to set DNS for UCA,
i should use internal IP

UCA.mycompany.com  = 192.168.1.26

or
use external ip
UCA.mycompany.com = 12.245.223.68

if i have also have mas server ,the external ip can i use same as UCA, like

mas.mycompany.com = 12.245.223.68

thank you very much.

[Chakara]

  That is going to depend on your network.  Are the people inside or outside?  That may not matter if your firewall is configured to allow same interface loopback - IE:  if inside you can still hit 12.245.x.x and it gets translated to 192.168.x.x.

  I guess the answer is - whatever works in your environment

-Chak

[abonabeel]

Hi maxcheung,

I have same issue. the mbg,awc and nupoint in the same server 1 and another server 2 for UCA 3.2.

the UCA clients working fine internally. but when they are outside the office the clinet shuld work on TW mode. the TW will recive the Certificates and I approve it but once I approve it the clinet can't find the TW server.


do you have idea about isuue?


regards

Mohammed Al-Hams

[maxcheung]

HI abonabeel,
what ports did you opened ? you can watch engineering guidelines there have a list of port, also i afraid i missing some port not open, i temporary open all port for the test. 

Now,i hava another problem, my TW was in connected state, if I use TW mode's phone call other phone, the phone will ring, but both way is no voice. i trapped in this state.

is the MAS must pleace in DMZ?
What different between a server in DMZ and direct all port to server's ip ?
my firewall is sonicwall 3060.

[abonabeel]

Hi Maxcheung,

Any update for your TW problem.?

I have the same problem now ( my TW was in connected state, if I use TW mode's phone call other phone, the phone will ring, but both way is no voice. i trapped in this state. )

but what i will do, tomorrow i am going to move the MAS application to Hard Server because it was working in vMwar machine and then I will update you.

regards

Abonabeel

[Chakara]

  My understanding is that it MUST not be behind NAT....IE: in a DMZ with a public IP address.  Of course with the only the appropriate ports opened...

-Chak

[abonabeel]

My system is working fine now.

do one think in TW configuration make TFTP size Blocking = 1024


regards

Mohammed Al-Hams