Looking for someone to help with configuring a Firebox for VoIP
I have a client that is getting Intermedia Unite VoIP phone service (hosted PBX?) at their office. This is my first dealing with VoIP in an office setting. They have a T35.
Intermedia has a bunch of pages, including:
https://support.intermedia.com/app/articles/detail/a_id/15507/type/KB
on things that need to be set up on a firewall to ensure quality service.
No Watchguard products are on the recommended list:
https://support.intermedia.com/app/articles/detail/a_id/11411
And they have a page about issues with some firewalls and they talk about the XTMs. Those are old, right (ie their page is out of date?)
https://support.intermedia.com/app/articles/detail/a_id/11404/kw/watchguard firewall
This is way beyond my capabilities / I want to make sure it is done right.
Is this anything that Watchguard would do (gratis or for a fee)?
Or is there anyone more experienced here that would be available for hire to help take care of configuring the T35 and help me know what else I need to deal with (do I need to get the MAC addresses of the phones / set up reservations?, etc.).
Thanks!
Comments
-
re.: XTM devices:
XTM devices are older units, with none currently being sold as new. Some WG XTM models are still supported, while other XTM models are no longer supported - having reached end of life.
https://www.watchguard.com/wgrd-trust-center/end-of-life-policyIf the T35 has an active support contract, then you can open a support case to get help from a WG support rep.
From the limited info shown in the "Service and Configuration - Port information" page, it seems like a standard Outgoing policy would allow all of these ports and thus access from VoIP phones to a remote PBX service.
If there are HTTP or HTTPS proxies in use, it probably would be best to use HTTP & HTTPS packet filters for the VoIP traffic for the domain names listed.
Depending on current incoming & outgoing ISP bandwidth utilization, Traffic Management may be needed to provide higher priority on the VoIP traffic to provide better voice quality.
0 -
As Bruce says, this is standard sip traffic.
- Create a http and https filter policy allowing traffic to the domain names in the list.
- Create a custom policy allowing udp 5060, tcp 5060 and tcp 5061 to the domain names in the list
- Create a custom policy allowing UDP 30000-65000 to the domain names in the list
This is the easiest way. Allow from ANY or the specific network/ip adresses which must have these policies applied.
0 -
@Bruce_Briggs I have used Watchguard UTMs for a few years now but realize there's loads I don't know. in the past I've muddled through doing what needed to be done and had never contacted support over that time.
You mention to 'open a support ticket'.
1) Through the website, right?
I did that / got the confirmation email on Tuesday 1:30PM eastern time, asking if configuring the firewall for this was something they do, can help me with or have a stock configuration I can use.
Haven't heard anything since.
2) What has been your experience with turn around time from Watchguard Support (medium / default urgency)?
This is the 2nd time I've reached out to support. The first time, I called in. Someone took my info. I asked for a call back, not email. And even said 'the tech can call anytime'. The rep clarified... 'we work 24/7, you are ok with a call at 3AM?' I said yes.
They couldn't tell me how long it would take to hear back.
Someone emailed me a few hours later, sending some KB pages that didn't touch on the questions / issues I had, said they were going home for the day and I could reach out if I had any other questions (rather than letting someone else who had more time, actually call me).
Disappointed that support wasn't helpful / didn't even do what I asked - call not email), I asked on Spiceworks about this. A couple people chided me for thinking support would do things for me because I don't know the box as well as I could.
And the Watchguard SE said basically the same thing, but even in snarkier terms.
As for the things you and @rv@kaufmann.dk describe as needed, thanks!
At the same time, I'm looking to have someone that's experienced with the box do this while I watch or walk me through the steps rather than try to do it myself this first time.
I don't want the client to have a bad experience with this VoIP service because I missed something or did something wrong doing the configuration.
0 -
To be fair you are asking to be educated on the product which is not the main purpose for support. Basic network knowledge is required and all product documentation is online 24/7.
My 3 steps is the answer to your question.
1 -
Yes, optimally I'd learn from this. But leaving out the idea that I'd watch the work being done, @Bruce_Briggs talked of a support rep 'helping'. Would you agree? And then too, what does help really mean?
Part of my first dealing with Watchguard support was me asking - how much of what I don't know would support do vs. how many hours do I spend on trying to get something to work ie when can I
My dealings with support from all different types of companies has ranged from minimal support, maybe just to confirm I found a bug and that's why something isn't working, to them remoting into the network an doing everything needed for basic setup.
I was trying to understand where Watchguard is on that spectrum and from that first dealing, this isn't something I could expect 'help' from support beyond a yes or no that they have a premade configuration.
That's why I realize it seems I have to find someone outside of Watchguard support.
0 -
What you are looking for is childs play for many of us...you need a custom packet filter. You need either a phone network or to have your devices on static (reserved) IPs and an alias...five minutes....maybe ten.
0

