On Fri, Dec 11, 2009 at 9:46 AM, Scott Lawrence <scott.lawre...@nortel.com>wrote:
> On Fri, 2009-12-11 at 09:05 -0500, Lara Johnson wrote: > > Well, I tested the theory. I set up a brand new box and configured it > > exactly how my production system ran when I did. External users that > > are coming in through my ingate can register (you can see them in the > > register). And they can receive calls from internal users. > > > > Though when they try to call an extension that’s inside or an outside > > number we get a 403 not authorized. The settings are the same as when > > we were running 3.10.2 and the calls worked then. I wonder if > > something in the permissions have changed in 4.0 to cause this issue. > > > > > > > > In 3.10.x we had to remove all the dialing permissions from the dial > > plan to get users to be able to dial external numbers (on the sip > > trunks) from the outside. We did not have the issue with external > > users calling internal extensions or voicemail. > > > > > > > > Any ideas? I can get logs and send in if someone has an idea where > > they would like to look. Thanks. > > > > > > > > From: Lara Johnson > > Sent: Wednesday, December 02, 2009 11:29 AM > > To: Picher, Michael; sipx-users@list.sipfoundry.org > > Subject: RE: [sipx-users] 4.0.2 Remote users & Authentication Realm > > problem > > > > > > > > > > I figured that was it, although I wish it were not the case, I really > > didn’t want to have to take down the system and rebuild it… it being a > > production system and all. Which is why I had to try it that way first > > to minimize downtime. > > > > > > > > The only thing that I could find was that once it was using the FQDN > > as the authorization realm it doesn’t matter if you change its domain > > it still wants the realm as the FQDN, it configures my phones to do > > that and it doesn’t challenge them it seems. I even tried setting my > > SBC that proxies my external users to force it to use the FQDN and it > > just doesn’t want to do it that way. > > > > > > > > When I manually change the SIPX_PROXY_AUTHENTICATE_REALM in the > > sipXproxy-config file from the FQDN to the domain and restart the > > services the external users work just fine. Internally though > > everything starts acting strange and there’s just so many problems I > > wouldn’t even know where to begin. > > > > > > > > I think I’ll schedule some downtime and reset the server and spend the > > time to redo it and see if that does the trick. > > > > > > > > Lara > > > > > > > > From: Picher, Michael [mailto:mpic...@cmctechgroup.com] > > Sent: Wednesday, December 02, 2009 10:51 AM > > To: Lara Johnson; sipx-users@list.sipfoundry.org > > Subject: RE: [sipx-users] 4.0.2 Remote users & Authentication Realm > > problem > > > > > > > > > > I’ve tried with 4.0.x to change between the two and always end up > > having to rebuild the system… You can export your users and import > > them to take some of the pain away. > > > > > > > > Maybe there’s a step I’m missing but I just can’t make things work > > right. May have to do with the user accounts. > > > > > > > > Mike > > > > > > > > From:sipx-users-boun...@list.sipfoundry.org<from%3asipx-users-boun...@list.sipfoundry.org> > > [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Lara > > Johnson > > Sent: Wednesday, December 02, 2009 9:33 AM > > To: sipx-users@list.sipfoundry.org > > Subject: [sipx-users] 4.0.2 Remote users & Authentication Realm > > problem > > > > > > > > > > > > > > I have a 4.0.2 box that I replaced 3.10.2 with. I ran two boxes and > > then switched the 4.0.2 live. I believe this may have caused a problem > > with authentication realms and my remote users. The original box was > > using the straight domain as the sip domain, while the 4.0.2 box used > > a FQDN until it went live. > > > > > > > > Internally all calls are working properly. Incoming calls come in and > > go out. We can call remote users from inside. > > > > > > > > Remote users, however, are showing up in the registrations (through an > > ingate as a b2bua and proxy) like they did in 3.10.2, however they > > cannot call extensions that are inside the office (not > > connected/registered remotely) or dial out to any other numbers. Upon > > viewing a packet capture I get a 407 Authorization required. > > > > > > > > When I did some digging, the sipxecs-config file has the FQDN as the > > authorization realm. If I manually change it to the domain name only, > > all my external users start working, but internally things mess up > > (transfers do not work, calls inbound have problems). I change it back > > and everything is fine internally again. > > > > Is this because I switched from FQDN to domain name only? Should I > > reinstall the 4.0.2 box and set it up with the domain name only from > > the beginning? Does anyone know a way to work around this? > > Probably what's happening is that you have permissions on a dial plan > that goes out the InGate to a SIP trunk, and the calls to your remote > users match the pattern for those rules. > > Do you have a dial plan that goes to the InGate as a gateway and matches > the same number of digits that your users have for their extensions? > > > A test call that fails will be easy to spot in the ingate log if the above is the case. You may also want to observe the number dialed by the user and make sure the format matches what the ingate expects to send to the ITSP once it passes through the proxy.
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
