Looking for someone to help with configuring a Firebox for VoIP

I have a client that is getting Intermedia Unite VoIP phone service (hosted PBX?) at their office. This is my first dealing with VoIP in an office setting. They have a T35.

Intermedia has a bunch of pages, including:


on things that need to be set up on a firewall to ensure quality service.

No Watchguard products are on the recommended list:


And they have a page about issues with some firewalls and they talk about the XTMs. Those are old, right (ie their page is out of date?)

https://support.intermedia.com/app/articles/detail/a_id/11404/kw/watchguard firewall

This is way beyond my capabilities / I want to make sure it is done right.

Is this anything that Watchguard would do (gratis or for a fee)?

Or is there anyone more experienced here that would be available for hire to help take care of configuring the T35 and help me know what else I need to deal with (do I need to get the MAC addresses of the phones / set up reservations?, etc.).



  • re.: XTM devices:
    XTM devices are older units, with none currently being sold as new. Some WG XTM models are still supported, while other XTM models are no longer supported - having reached end of life.

    If the T35 has an active support contract, then you can open a support case to get help from a WG support rep.

    From the limited info shown in the "Service and Configuration - Port information" page, it seems like a standard Outgoing policy would allow all of these ports and thus access from VoIP phones to a remote PBX service.

    If there are HTTP or HTTPS proxies in use, it probably would be best to use HTTP & HTTPS packet filters for the VoIP traffic for the domain names listed.

    Depending on current incoming & outgoing ISP bandwidth utilization, Traffic Management may be needed to provide higher priority on the VoIP traffic to provide better voice quality.

  • As Bruce says, this is standard sip traffic.

    1. Create a http and https filter policy allowing traffic to the domain names in the list.
    2. Create a custom policy allowing udp 5060, tcp 5060 and tcp 5061 to the domain names in the list
    3. Create a custom policy allowing UDP 30000-65000 to the domain names in the list

    This is the easiest way. Allow from ANY or the specific network/ip adresses which must have these policies applied.

  • @Bruce_Briggs I have used Watchguard UTMs for a few years now but realize there's loads I don't know. in the past I've muddled through doing what needed to be done and had never contacted support over that time.

    You mention to 'open a support ticket'.

    1) Through the website, right?

    I did that / got the confirmation email on Tuesday 1:30PM eastern time, asking if configuring the firewall for this was something they do, can help me with or have a stock configuration I can use.

    Haven't heard anything since.

    2) What has been your experience with turn around time from Watchguard Support (medium / default urgency)?

    This is the 2nd time I've reached out to support. The first time, I called in. Someone took my info. I asked for a call back, not email. And even said 'the tech can call anytime'. The rep clarified... 'we work 24/7, you are ok with a call at 3AM?' I said yes.

    They couldn't tell me how long it would take to hear back.

    Someone emailed me a few hours later, sending some KB pages that didn't touch on the questions / issues I had, said they were going home for the day and I could reach out if I had any other questions (rather than letting someone else who had more time, actually call me).

    Disappointed that support wasn't helpful / didn't even do what I asked - call not email), I asked on Spiceworks about this. A couple people chided me for thinking support would do things for me because I don't know the box as well as I could.

    And the Watchguard SE said basically the same thing, but even in snarkier terms.

    As for the things you and @[email protected] describe as needed, thanks!

    At the same time, I'm looking to have someone that's experienced with the box do this while I watch or walk me through the steps rather than try to do it myself this first time.

    I don't want the client to have a bad experience with this VoIP service because I missed something or did something wrong doing the configuration.

  • To be fair you are asking to be educated on the product which is not the main purpose for support. Basic network knowledge is required and all product documentation is online 24/7.

    My 3 steps is the answer to your question.

  • @[email protected]

    Yes, optimally I'd learn from this. But leaving out the idea that I'd watch the work being done, @Bruce_Briggs talked of a support rep 'helping'. Would you agree? And then too, what does help really mean?

    Part of my first dealing with Watchguard support was me asking - how much of what I don't know would support do vs. how many hours do I spend on trying to get something to work ie when can I

    My dealings with support from all different types of companies has ranged from minimal support, maybe just to confirm I found a bug and that's why something isn't working, to them remoting into the network an doing everything needed for basic setup.

    I was trying to understand where Watchguard is on that spectrum and from that first dealing, this isn't something I could expect 'help' from support beyond a yes or no that they have a premade configuration.

    That's why I realize it seems I have to find someone outside of Watchguard support.

  • What you are looking for is childs play for many of us...you need a custom packet filter. You need either a phone network or to have your devices on static (reserved) IPs and an alias...five minutes....maybe ten.

Sign In to comment.