I am trying to get off-network IP Phones working with our Inter-tel phone system.
According to the doc from Inter-tel this should be possible behind NAT/firewall by "opening" some select ports. I am almost there except for the fact that the remote IP phone hears no audio. The phone dials properly (however, there is no "ring tone" heard in the earpiece), the called phone rings and when I pick up the called phone, I can speak and the remote phone hears, but if I speak into the remote phone, the local phone has no audio.
I have created "server publishing" rules that map the public ip to the private ip of the Inter-tel system. The inter-tel doc has an example for a CISCO router as follows:
ip access-list extended s0in permit tcp any host 220.127.116.11 eq 5566 permit udp any host 18.104.22.168 eq 5567 permit udp any host 22.214.171.124 range 5004 5069 deny ip any any
I have created 3 server publishing rules publishing the ports/ranges above.
Anyone have any ideas? As you might expect, getting to a truly technical person at Inter-tel is proving to be a monumental task!
I'm getting the following error: Server publishing rule [IPRC 5567 at 0.19] that maps 192.168.0.19:5567 UDP to 216.150.xxx.xxx:5567 for protocol [IP Phone Traffic udp 5567] was unable to bind a socket for the server. The server publishing rule cannot be applied. The failure is due to error: 0x80070034
Hello. I am having a similar problem here. I have the same Inter-Tel system in place and I am trying to configure an IP phone for access from anywhere. I have created a server publishing rule that allows traffic from a specific address on the external network to the phone system's internal IP address. The phone connects just fine to the system, however there is no audio. When I monitor the logs for the connection I can see that the traffic coming through the ISA server goes from the External network to the Internal network using the specified protocol and the specified rule but the resulting message is Failed Connection Attempt. I have opened all the necessary ports and I see nowhere where traffic is being denied, it simply just says failed connection. I have been working on this for days with 3 different Inter-Tel technicians and we have not been able to resolve this. There are no alerts indicating an improperly configured rule, nor is there anything in the event logs that indicate something is not right. I am running ISA server 2004 Standard Edition with Service Pack 2 intsalled. I have also allowed all traffic from the phone cpu to the external network as well. Any advice given will be appreciated. Thanks.
Well, I have mine working perfectly now. I hope what I did to solve me will help you. Inter-tel and I beat our heads against the wall for many days. One day while poking around in ISA2004 I decided to change one setting - and that did it for me. The setting is the one that says "Reqests appear to come from the ISA server". This is located on the TO tab on the server publishing rule.
You don't need any special rule to get the IP phone working from inside the network. Your IP phone will just loop back through ISA. I believe the IP phone card in the PBX system doesn't care if the client address is public IP or private IP.
Again, forgive the probably unneeded amount of open ports in this as I have not had the time to go back and eliminate them. I had to open so many of them because the Inter-Tel technicians are not even aware of what traffic their own hardware uses.
I know this is an old call, but I thought I would add a note (in the hope if may help someone else). I have recently had the pleasure of setting up VoIP handsets for a client, whos InterTel switch sits behind two firewalls (a perimiter firewall, with an ISA2004 firewall behind that). As such, there was double NAT tranverstal taking place. The rules I used to get it working were as follows:
On the perimter firewall:
Forward the following ports back to the ISA2004 external interface IP. TCP: 5566 (Handset Connection) UDP: 5567 (Handset Connection) UDP: 6000-6999 (Voice Data) TCP: 4000 (Not required for the phones to work - used to program the Intertel switch, and as such - source traffic restricted to a specific IP) TCP: 8080 (Not required for the phones to work - used to program the Intertel switch, and as such - source traffic restricted to a specific IP)
On the ISA firewall:
Create the following publishing rule to publish the Intertel switch which is sitting behind ISA 2004.
Primary Connection: TCP: 5565: Inbound UDP: 5567: Receive / Send UDP: 6000-6999: Receive / Send TCP: 4000: Inbound (Once again - used for remote programming) TCP: 8080: Inbound (And again - used for remote programming)
There was no need for any additional "allow all from the switch" outbound rule.As mention in a previous reply to this post, I to also have the option for "Traffic appears to come from the ISA2004" set.
One thing I will mention, is that for a long time we only had voice traffic one way (from the external number into the VoIP handset). This had nothing to do with the firewall rules. It turned out that the telecoms company who managed the switch, had not setup the handsets correctly. There is a setting on the InterTel switch that tells it whether a handset is locally attached to the LAN (Native), or remote (NAT-T).