Corporate Firewall solutions

Posts: 3 · New Forum Member Joined: Dec 14, 2004 Posts: 3

I have been presented with a very difficult problem. While I am able to set up my VONAGE service at home (no problemo). I can not get the service to work from behind the corporate LAN.

The corporate LAN / corporate security policy will not allow for incoming traffic through a port opened on the firewall - therefore port forwarding is out. I have discussed setting up a DMZ with the corporate guys, but this is akin to treading on sacred burial ground. It could be done, but we will have to move a few mountains...you get the picture.

I was wondering if there are any external solutions to this problem. I am not deep in the understanding the SIP protocol, so I won't attempt it here, but if anyone out there has a solution, or faced a similar problem, I would be interested to hear about it.

Posts: 281 · Posted: Tue Dec 14, 2004 4:48 pm Post subject:

You MAY need to open a port, but you also may not. I personally run Vonage behind a firewall with no ports open and it works fine.

Are you asking this question because you've tried it and it didn't work?

1) Do you have webservers? Then these are running on forwarded ports or are in the DMZ.
2) What happens with vonage behind the firewall? Can you make but not receive calls?

Is there some way the tech guys can let you put the vonage device BEFORE the firewall? (Assuming this is for a work related project)... that way it's outside the network.. and who cares what happens to the box?

Move a few mountains to put a SIP device behind a DMZ? What kind of firewall are they running? I could do a map from outside to our DMZ in about 2 minutes on our PIX firewall. I think they are just dragging their feet 'bacause they can'.

Give us a little more info and we'll try to help...

Posts: 3 · New Forum Member Joined: Dec 14, 2004 Posts: 3

Hi I wanted to update. I had things confused a bit. After opening up the ports on the corporate firewall VONAGE phone service worked just fine.

Thanks for your comments.

Posts: 79 · Posted: Wed Dec 15, 2004 10:39 pm Post subject:

I thought u said opening ports on the firewall was a no-no.

Posts: 3 · New Forum Member Joined: Dec 14, 2004 Posts: 3

say that, but after some wrangling, hand ringing, and head banging we came to an agreement.

FYI I did the same test with a competitor product (hint: starts with an A and ends in TT), and we were not able to get the service running. I am not sure if this is a protocol difference (MGCP v. SIP) but right now I don't have a good answer and neither does the IT guy.

Thanks once again for your interest.

Posts: 59 · Full Forum Member Joined: Dec 16, 2004 Posts: 59

What type of corporate firewall are you using? I am wondering because we have a Sonicwall at work, and I am unable to get my adapter to work behind it.

Posts: 227 · Vonage Forum Master Joined: Dec 10, 2004 Posts: 227

Sajer,
I have a SonicWALL here at home and it's working just fine. The only ports I have forwarded (via a firewall rule) is the 5060-5061 UDP and it works brilliantly. What model SW are you using? Perhaps I can help. I work as a SonicWALL reseller/certified SonicWALL Administrator.

Posts: 227 · Vonage Forum Master Joined: Dec 10, 2004 Posts: 227

Sajer,
Let me pre-empt your reply with a couple of suggestions. I would give your Vonage device a Static IP address or at the very least, a reserved DHCP address. This will be necessary in order to do the port forwarding with the SW or you will be changing your rule everytime your DHCP lease expires.
Depending on your version of SonicOS your layout may be different from mine. However, if your's is different, you should be able to figure out the similaries of the menu.
Click on the "Firewall" tab. Click "Services." Click "Add." You will need to create a service (I called mine VOIP) and assign it the port range of 5060-5061 and the protocol is UDP. For my SonicWALL (TZW) that's all I had to open! You, however, may need to add the rest of the ports. If you do need to add the other ports (All UDP-53, 69, and 10,000-20,000) when you click the "add" button again for each port, Name it EXACTLY the same-spelling and Case. This will make life easier for you later). Again, you might not have to add all these ports.
Now, after you have added the first service, click on the "Access Rules" tab. Click "Add." Select "Allow", the for your "service" in the drop down menu select "VOIP-or whatever you name the service." If you have to add the other ports and you name the services exactly the same, all the ports you add will be available under 1 name instead of having to choose different services and writing a rule for each of them!
O.K. Now you have selected "allow" and the service, for "Source" you could select * or "WAN" doesn't matter. For destination, select "LAN" or "DMZ" or wherever the Phone adapter is on the SonicWALL and then for "address range" type in the IP address of the PA in both boxes. Click ok. Make sure the rule is enabled (some SonicWALLs do not enable rules by default) and test.
I apologize if I am speaking down to you but I have no idea of your tech. background. I truly mean no offense to your intelligence. I hope I have been helpful.

Posts: 1 · New Forum Member Joined: Aug 05, 2005 Posts: 1

bbtrumpetguy,

I am running a SOHO TZW w/ firmware version: SonicOS Standard 2.1.0.0. I have configured the firewall as you stated and can not place or receive calls. I have a Dial tone and Vonage Support see's my device. I have a reserved IP setup in DHCP for the device and have allowed all the required services to this IP. When I try to make a call the Vonage Server tries to connect to my WAN interface IP, instead of the packet being forwarded to the Internal IP. The Firewall drops the connection because the rule is set to allow traffic to the internal IP. My first thought is that the firewall is not keeping state since this is a UDP connection. Have you seen this before. Any help would be appreciated.

Posts: 227 · Vonage Forum Master Joined: Dec 10, 2004 Posts: 227

netranger wrote:

bbtrumpetguy,

I am running a SOHO TZW w/ firmware version: SonicOS Standard 2.1.0.0. I have configured the firewall as you stated and can not place or receive calls. I have a Dial tone and Vonage Support see's my device. I have a reserved IP setup in DHCP for the device and have allowed all the required services to this IP. When I try to make a call the Vonage Server tries to connect to my WAN interface IP, instead of the packet being forwarded to the Internal IP. The Firewall drops the connection because the rule is set to allow traffic to the internal IP. My first thought is that the firewall is not keeping state since this is a UDP connection. Have you seen this before. Any help would be appreciated.

Can you send me a TSR report from your SWALL so I can get an idea of how it is set up? Maybe I can see something (won't promise but I'll try!). I had a TZW but gave it to our service manager when I got the new Pro 1260 (24 port switch built in and with the Enhanced FW it becomes a managed switch w/24 virtual firewall ports! and the ability to create "Port Shield Groups" aka VLAN.)

I did verify you are running the latest firmware for the TZW (I'm really disappointed they haven't released 3.1 for the TZW-adds Gateway Anti-Virus, Intrusion Prevention, and Anti-Spyware). ANYWAY, now that I sound like a sales pitch...to send me the TSR please do the following
Login
System>Diagnostics
Now it's been a while for me with the TZW so you'll either see TSR up top or you'll have to use the drop down to select it.
Select ALL of the check boxes
Save it to your local drive
Send it to me through a pm

Thanks.

P.S. If you could also forward me a copy of your latest log file showing the dropped traffic I would appreciate it.