PSNZ

Hi, guys.

I have been lumbered with a big problem getting Phone Manager (and other IP Office apps, but I'm sure if I can get it sorted, the others will be easy) working through a firewall.

This is a completely different system to our one (which I enquired about the other day).

Basically, a client has a secure network in the midst of a much larger network. The PBX is located in the larger network. There is a firewall/router securing the small network, however this is configured to be only one-way (ie only blocks incoming traffic), and works without configuration for all other applications used in the secure network, database clients, surfing the Internet, checking email, etc.

We simply cannot get Phone Manager working correctly from within the secure network. I understand that it uses a broadcast address (255.255.255.255) to send free/busy information, however we cannot even get it connecting to the PBX, and I would assume it wouldn't rely on broadcast traffic to connect. We figured that if we could get it connecting, we could look at tackling the broadcast issues, and attempt to get them jumping networks.

We can ping the PBX happily, so there is no problems with the route.

Actually, we can get it talking correctly to any one machine within the secure network, but only by configuring the firewall to forward all traffic hitting it on all ports from the PBX's IP address through to a machine on the secure network. Obviously this is no good, however, as we can only forward ports to a single client machine, and Phone Manager is to be installed on several machines (as well as the security issues it creates).

I'm guessing from this that IP Office sends non-initiated traffic to the client, which is getting as far as the firewall.

Any ideas?

The Phone technicians have pretty much given up on it. We are the network (and hence firewall) admins, so have had the problem dropped in our lap.

I will be eternally grateful if someone can shed some light on whether Phone Manager can be used between networks, or whether it must be on the same network to function correctly, or if there is any way around the problem.

sizbut

You need (at least) the following port open:

TFTP 69 going both ways - used to exchange information like system directory.
50796 going to the IP Office - used by apps to log on to the IP Office.
50799 coming from the IP Office - the apps listen on this port for BLF updates (those updates are broadcast so you need to ensure that any router/switch forwards them).

I'm up for being corrected but I think all the above are sent UDP rather than TCP.

PBXtech.info

 

corhavelaar

IP Office sends BLF status indication to all PC Partner sessions if these are not within the broadcastdomain, and yes it is mostly UDP traffic going between PM and IPO.

sizbut

That's good to know Corhavelaar - thanks.

PSNZ

Hi, guys.

Thanks heaps for your replies.

Yes, traffic is allowed through these ports. The problem is that, with a secure network like this, all outgoing traffic will always appear to be coming from the firewall device (ie machines behind it are "hidden").

This is fine for initiated traffic (eg standard connections such as web requests) whereby a local machine's request is logged by the firewall, and the resulting response is forwarded automatically by the firewall to the correct local machine, as it is tagged as a reply from the specific request). However non-initiated traffic, such as the BLF UDP traffic by the looks of things, will hit the firewall, which will have no idea about what to do with it.

We can (obviously) set specific forwarding rules, whereby traffic originating from a certain IP address (the PBX) on a given port is forwarded to a particular client. However, this is a little problematic in itself, as, even if we got the correct BLF ports, we could only forward it to one client (I'm pretty sure it is only possible to forward each port to a single internal machine). Is it possible to somehow tell IP Office to send BLF data on 4 different ports (there are only 4 Phone Manager machines in the secure network)? If this were possible, we could forward each one to one of the Phone Manager machines.

Also, what ports does the BLF data use? I've tried forwarded the ports listed in the Install Guide (that are listed above by Sizbut) but this doesn't work. However, forwarding all ports from the PBX to a single client allows for that client to connect successfully, so it is obviously just a case of finding the correct ports.

Any ideas?

corhavelaar

Start SysMonitor select as a filter the interface, packets in/out, queued in/out, broadcast,multicast and packetsize to 1500.
Then you can see the BLF broadcasts to 255.255.255.255 and the portnumber and if running you can see the BLF packets to PC Partner sessions not in the broadcast domain.
PC Partner = PhoneManager Lite/Pro/IP

PBXtech.info

 

sizbut

Your firewall software/hardware should also be able to report what traffic it has blocked and within that hopefully you can identify that which has come direct from the IPO PBX.