Looking for someone to help with configuring a Firebox for VoIP

I have a client that is getting Intermedia Unite VoIP phone service (hosted PBX?) at their office. This is my first dealing with VoIP in an office setting. They have a T35.

Intermedia has a bunch of pages, including:


on things that need to be set up on a firewall to ensure quality service.

No Watchguard products are on the recommended list:


And they have a page about issues with some firewalls and they talk about the XTMs. Those are old, right (ie their page is out of date?)

https://support.intermedia.com/app/articles/detail/a_id/11404/kw/watchguard firewall

This is way beyond my capabilities / I want to make sure it is done right.

Is this anything that Watchguard would do (gratis or for a fee)?

Or is there anyone more experienced here that would be available for hire to help take care of configuring the T35 and help me know what else I need to deal with (do I need to get the MAC addresses of the phones / set up reservations?, etc.).



  • Options

    re.: XTM devices:
    XTM devices are older units, with none currently being sold as new. Some WG XTM models are still supported, while other XTM models are no longer supported - having reached end of life.

    If the T35 has an active support contract, then you can open a support case to get help from a WG support rep.

    From the limited info shown in the "Service and Configuration - Port information" page, it seems like a standard Outgoing policy would allow all of these ports and thus access from VoIP phones to a remote PBX service.

    If there are HTTP or HTTPS proxies in use, it probably would be best to use HTTP & HTTPS packet filters for the VoIP traffic for the domain names listed.

    Depending on current incoming & outgoing ISP bandwidth utilization, Traffic Management may be needed to provide higher priority on the VoIP traffic to provide better voice quality.

  • Options

    As Bruce says, this is standard sip traffic.

    1. Create a http and https filter policy allowing traffic to the domain names in the list.
    2. Create a custom policy allowing udp 5060, tcp 5060 and tcp 5061 to the domain names in the list
    3. Create a custom policy allowing UDP 30000-65000 to the domain names in the list

    This is the easiest way. Allow from ANY or the specific network/ip adresses which must have these policies applied.

  • Options

    @Bruce_Briggs I have used Watchguard UTMs for a few years now but realize there's loads I don't know. in the past I've muddled through doing what needed to be done and had never contacted support over that time.

    You mention to 'open a support ticket'.

    1) Through the website, right?

    I did that / got the confirmation email on Tuesday 1:30PM eastern time, asking if configuring the firewall for this was something they do, can help me with or have a stock configuration I can use.

    Haven't heard anything since.

    2) What has been your experience with turn around time from Watchguard Support (medium / default urgency)?

    This is the 2nd time I've reached out to support. The first time, I called in. Someone took my info. I asked for a call back, not email. And even said 'the tech can call anytime'. The rep clarified... 'we work 24/7, you are ok with a call at 3AM?' I said yes.

    They couldn't tell me how long it would take to hear back.

    Someone emailed me a few hours later, sending some KB pages that didn't touch on the questions / issues I had, said they were going home for the day and I could reach out if I had any other questions (rather than letting someone else who had more time, actually call me).

    Disappointed that support wasn't helpful / didn't even do what I asked - call not email), I asked on Spiceworks about this. A couple people chided me for thinking support would do things for me because I don't know the box as well as I could.

    And the Watchguard SE said basically the same thing, but even in snarkier terms.

    As for the things you and @rv@kaufmann.dk describe as needed, thanks!

    At the same time, I'm looking to have someone that's experienced with the box do this while I watch or walk me through the steps rather than try to do it myself this first time.

    I don't want the client to have a bad experience with this VoIP service because I missed something or did something wrong doing the configuration.

  • Options

    To be fair you are asking to be educated on the product which is not the main purpose for support. Basic network knowledge is required and all product documentation is online 24/7.

    My 3 steps is the answer to your question.

  • Options


    Yes, optimally I'd learn from this. But leaving out the idea that I'd watch the work being done, @Bruce_Briggs talked of a support rep 'helping'. Would you agree? And then too, what does help really mean?

    Part of my first dealing with Watchguard support was me asking - how much of what I don't know would support do vs. how many hours do I spend on trying to get something to work ie when can I

    My dealings with support from all different types of companies has ranged from minimal support, maybe just to confirm I found a bug and that's why something isn't working, to them remoting into the network an doing everything needed for basic setup.

    I was trying to understand where Watchguard is on that spectrum and from that first dealing, this isn't something I could expect 'help' from support beyond a yes or no that they have a premade configuration.

    That's why I realize it seems I have to find someone outside of Watchguard support.

  • Options

    What you are looking for is childs play for many of us...you need a custom packet filter. You need either a phone network or to have your devices on static (reserved) IPs and an alias...five minutes....maybe ten.

Sign In to comment.