> > I'll be able to help you but first I need to understand your setup > > better. Do you have a true DMZ whereby the sipXecs in the > DMZ has a > > publicly reachable IP address or does it have a private IP > address and > > the Router in front does all the 'NATing'? > > Thanks Robert. I don't have a true DMZ; sipXecs has its own > private IP. I'm just testing off of a independent ADSL line > at this point, so I don't have a domain name to work with > yet. I'm just accessing the external static IP. > > I can test with the firewall disabled, but of course long > term I'll need to have the firewall enabled and just open up > the necessary ports.
With the proper firewall configuration you will be able to deploy sipXecs behind a firewall and allow remote phones behind their own firewall/NATs to also register and make calls. But before this can happen a few configuration steps need to be followed: Step 1 - configuring NAT traversal feature * In sipXconfig, navigate to System->Internet Calling->NAT Traversal and: * "Enable NAT Traversal": checked * "Server behind NAT": checked Step 2 - configuring public IP address of sipXecs * Navigate to system->servers-><click on server>->NAT * If the WAN-facing IP address of your NAT/Firewall if static then select "Specify IP address" and enter it under "Public IP Address". If your WAN-facing IP address is dynamic (i.e. you ISP changes it from time to time), select "Use STUN" and enter a STUN server address in the "STUN Server" field (stun01.sipphone.com is a somewhat reliable public STUN server that you could use here) * Keep all other fields as defaults. Step 3 - define your local private network topology * Navigate to System->Internet Calling. There, you need to enumerate the domains and subnets that make up the private network that your sipXecs is a part of. For example, if your sipXecs has domain name sipx.example.com and is part of private network 10.10.10.0/24 then you need to have an "Intranet Domains" entry of "*.sipx.example.com" and an "Intranet subnets" entry of "10.10.10.0/24" and remove the default ones. Be sure to remove any pre-configured intranet subnets that do not apply to your network. Step 4 - Configure your firewall Next, you need to log into your Firewall/NAT and open pinholes and port forwarding rules that will route any incoming TCP and UDP traffic arriving on port 5060 to the private IP address of your sipXecs. You also need to allow and forward traffic arriving on UDP port range 30000 to 3100 used for media to the private IP address of your sipXecs. Step 5 - Configure the phone <skipping the obvious settings> * Set proxy to the SIP domain of your sipXecs * Configure the outbound proxy to be the public IP address of your firewall/NAT * Disable any phone-based NAT traversal technologies, i.e. select 'Use Local address' instead of 'discover global address' and uncheck 'Enable ICE' That's everything - let me know how that works out for you. bob _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
