Ports for customers to open on router for hosted services to work

Chances are you if you have the proper router you won't need to open any ports. There are a ton of routers and/or firewalls that simply won't work regardless of ports that you open because they are crap.

UDP Port 5060- SIP Registrations
UDP Ports 10000-20000 for RTP Traffic

RTP Traffic can be different from phone to phone and depending on what you have setup in your configs.

Another thing I have had to do on some Fortinets, Sonicwalls is disable something called SIIP FIXUP. Mutilates sip messages .

I highly recommend a router by Draytek, BIG BANG for your buck. No extra costs for VPN, management, etc... Runs you about 200 bucks with or without DSL Modem / Wifi. Great QoS and real time bandwidth monitoring.

This is the router they are using and it has been fun...... The polycoms will not provision via FTP or HTTP all it says is could not contact boot server. The phones will register at the site but only with last know good config and it functions properly after it boots. Cannot update phone once on site....Help

Which router are they using? The sonicwall? My advice, get rid of the firewall or get rid of the client :) Many people will probably argue that, but in the end you are fighting a losing battle and wasting a lot of time and money doing so, and probably making yourself appear bad to the client.

You gotta imagine that the sonicwall is designed as a security device. Keeping things in that need to stay in, and out that needs to stay out. And large amounts of UDP traffic, unless otherwise specified, is probably on lock down.

Actually, I had an experience with one that ended badly and it ended up that something in the device hardware (poorly built) was destroying the sip calls. Had nothing to do with configuration, it was simply crap hardware. This was on a 100mb Charter Cable pipe that couldn't even handle 1 call. Changed to a draytek for 180 bucks and it fixed it immediately.

You can also get an Edgewater 200AE pretty cheap, setup Option 66 in the router itself, format the Polycom, reboot it and it will just work. Polycoms are great , but can be a headache sometimes. I use Polycom IP670's, VVX1500 and Aastra 6757i's for almost all my clients.

the 200AE's are end-of-life.. now its the 250W's. It does ADSL/ethernet/USB-EVDO for the wan. It has 8 LAN ports, wifi ethernet, and 4 FXS ports. One nice feature of the edgemarc is the proxy-arp setting. if you get issued a subnet like a /29 you can take one of the other IP's and proxy-arp it to the LAN segment. Then the customers PITA firewall thinks its connected to the public internet. Meanwhile you run your phones on a separate VLAN connected directly to the edgemarc.

I have asked the customer to open the port to our server like 80,21,5060-5090,123,10000-20000
But the phones still cannot contact boot server. Now this is a corporate network with sonic walls at the site that points to a sonic wall at another site that then connects to a managed network that try say they are not blocking us. As I said before the problem is just contacting the boot server because when it fails and reverts back to last known good config and boots and works I just cannot make changes to the phone via the config....

Did I miss a port to have opened?

Is it a proxy problem?

The customer has no access to open Internet just the managed.

Thanks

Access TCP handshake violation detected; TCP connection dropped

This is what is showing on the sonic walls when we try and boot to FTP?

your sonicwall is doing that.. the piece of crap that it is. You dont need to open ports for egress traffic. Your sonicwall has decided, much like microsoft, that you dont know what you're doing and that they are better skilled at determining how you should run your business. Are you sure the sonicwall has enough licenses? Those pieces of crap will ARP poison the network if there are more devices than are allowed. That includes shit that doesnt even use the internet like a network attached printer etc.

Do you have an internet connection with a static ip? Do you happen to have a range of static IP's? If so get an edgemarc and stick the damn thing in front of the sonicwall and stick your phones on the edgemarc. Tell the sonicwall to go screw itself.

What confuses us is all will work great after the boot.

We just cannot talk to the server to provision the phones through these things.

Tried HTTP and FTP...still fails

Sorry eeman the answer to your questions are no on the ip's.

but your evidence is clear that the sonicwall is rejecting the connection.. says so right in the logs. They are faced with a choice... either fix the sonicwall, get public ips and stick an edgemarc in front of the sonicwall, or get a second internet connection for the phones.

This will be the only option that they will go for because I have tried the other 2. I just don't know What setting to change to allow the phones to provision.

its an ftp connection.. you should be able to use any ftp client to fetch those files, so experiment with a basic url string ftp://PlcmSpIp:PlcmSpIp@your.ip.address/macaddr.cfg

In the end you just have to decide whether wasting all this time on a support nightmare is worth it. Why not just manually provision these phones and be done with it?

Ok still trying to get FTPS working with the Polycoms.
Purchased an SSL from GoDaddy and now having a problem again.
From what I am being told I need to purchase a SSL from one of the certified
SSL providers that Polycom recommends on the admin guide. Does anyone have experience
With this and have any recommendations on where and what to purchase that will work perfect for
This?

why arent you using plain FTP?

The customer is blocking all FTP traffic.
So I went the HTTP route but they use a proxy so that did not work
Then I was told they will pass FTPS do tht will work for the configs but not work for
The application and bootrom.

tell them that their choice, no matter what fucking provider they decide to go with, is either allow provisioning traffic for the phones, or dont have service. Its that simple. Tell them to get off their ass and setup a rule that allows FTP traffic TO your IP. Its not like they are allowng all FTP traffic. If they dont know how to do that, suggest they call sonicwall and figure it out because this is a skill that anyone being paid to actually manage a firewall should be capable of doing.