Associate
- Joined
- 26 Oct 2002
- Posts
- 1,728
- Location
- Surrey
Hi guys.
I run a successful IT company with that specializes in the Legal Sector and while I am not a telephony person at all, I am finding myself drawn ever closer to having to deal with this side of things, which sucks to be honest.
I have one particular client that uses a full remote desktop/satellite office model, with getting close to 100 solo remote workers alone (not counting remote offices/workers there) and they are experiencing ever-increasing issues with dropped calls mid-conversation, one way conversations, inability to get external lines etc. The last one is being put down to not enough SIP channels by the phone company and they are putting in an expansion card next week.
The system is an LG IPECS. No site to site vpn or static internet IP address needed for the phones, just certain ports forwarded through a router at the IPECS end through to the controller.
The comms line is what is known as a 2Mbit SDSL Annex M connection with failover line and is controlled by a Cisco 1841 running in bridged mode. No data manipulation is being carried out by the Cisco that I am aware of, packets are being passed straight through to a Draytek Vigor 2950 Router (SIP DISABLED) which in turn feeds only the IPECS.
Traffic is well within limits, peaking at around 0.7Mbit in/out during the day and is confirmed by both the Draytek and Cisco logging. The client is at the end of their tether and have begged me to get involved as the phone company seem to be helpless in regard to the NAT/SIP/IP side of this problem. Pretty well everything I read states that wherever possible, the SIP side of a phone server should be outside a firewall, on a public internet IP address and I totally understand that as NAT routers are known to cause all sorts of issues for SIP-related traffic.
The problem I currently have is that the IPECS only has 1 LAN port and LG insist that it has to sit behind a firewall as it has no inbuilt firewall/defences against attack. I know for a fact that an additional card/interface can be added but as for whether or not the IPECS can be programmed to gateway SIP traffic out on that only outside the firewall, while maintaining normal internal LAN traffic, is out of my field of knowledge.
As the client was desperate to be seen as doing something for the workers, they roped me in to looking at all of this, dropping a large data centre project that I am supposed to be installing this weekend, and I spent most of yesterday at their offices. The only realistic thing I could try was putting a totally different router in, in place of the trusted Vigor 2950 (which worked perfectly with the previous Avaya phone system by the way, albeit VPN-based). I dug out an old Linksys RV082 and set all the routing up to emulate the Vigor. Early days yet but I do believe that if anything, the problem is worse.
The pain is that the phone people seem incapable of giving me information regarding live system monitoring, won’t allow me access to the unit to just do it myself and I have just had enough of it basically. As far as I am concerned even if the IPECS doesn't have built in firewall, we may have to go old school with it and just use stupidly long/complex passwords to protect system access/SIP channel access and slap it on the internet, if a secondary interface allows it.
As far as I am concerned, LG should have a list of approved routers/configs purely based on this apparent inability to work outside a firewall but the phone company tell me that this isn't the case.
I have already asked the company that manages the line/Cisco whether or not they would be prepared to alter the Cisco from a bridge to a router, put in all the relevant firewall rules and let that act as the firewall for the IPECS, purely so I can take the Draytek out of the picture and wash my bloody hands of it all, not that the client will let me get away that easily........
My questions are:
Does anyone on here know the IPECS systems?
If so, do they really have no ability to router via WAN/LAN setup with a secondary interface card?
I am right in saying that putting SIP servers behind firewalls should be avoided whenever possible?
That is about it I think, sorry for the waffle....
Nick.
I run a successful IT company with that specializes in the Legal Sector and while I am not a telephony person at all, I am finding myself drawn ever closer to having to deal with this side of things, which sucks to be honest.
I have one particular client that uses a full remote desktop/satellite office model, with getting close to 100 solo remote workers alone (not counting remote offices/workers there) and they are experiencing ever-increasing issues with dropped calls mid-conversation, one way conversations, inability to get external lines etc. The last one is being put down to not enough SIP channels by the phone company and they are putting in an expansion card next week.
The system is an LG IPECS. No site to site vpn or static internet IP address needed for the phones, just certain ports forwarded through a router at the IPECS end through to the controller.
The comms line is what is known as a 2Mbit SDSL Annex M connection with failover line and is controlled by a Cisco 1841 running in bridged mode. No data manipulation is being carried out by the Cisco that I am aware of, packets are being passed straight through to a Draytek Vigor 2950 Router (SIP DISABLED) which in turn feeds only the IPECS.
Traffic is well within limits, peaking at around 0.7Mbit in/out during the day and is confirmed by both the Draytek and Cisco logging. The client is at the end of their tether and have begged me to get involved as the phone company seem to be helpless in regard to the NAT/SIP/IP side of this problem. Pretty well everything I read states that wherever possible, the SIP side of a phone server should be outside a firewall, on a public internet IP address and I totally understand that as NAT routers are known to cause all sorts of issues for SIP-related traffic.
The problem I currently have is that the IPECS only has 1 LAN port and LG insist that it has to sit behind a firewall as it has no inbuilt firewall/defences against attack. I know for a fact that an additional card/interface can be added but as for whether or not the IPECS can be programmed to gateway SIP traffic out on that only outside the firewall, while maintaining normal internal LAN traffic, is out of my field of knowledge.
As the client was desperate to be seen as doing something for the workers, they roped me in to looking at all of this, dropping a large data centre project that I am supposed to be installing this weekend, and I spent most of yesterday at their offices. The only realistic thing I could try was putting a totally different router in, in place of the trusted Vigor 2950 (which worked perfectly with the previous Avaya phone system by the way, albeit VPN-based). I dug out an old Linksys RV082 and set all the routing up to emulate the Vigor. Early days yet but I do believe that if anything, the problem is worse.
The pain is that the phone people seem incapable of giving me information regarding live system monitoring, won’t allow me access to the unit to just do it myself and I have just had enough of it basically. As far as I am concerned even if the IPECS doesn't have built in firewall, we may have to go old school with it and just use stupidly long/complex passwords to protect system access/SIP channel access and slap it on the internet, if a secondary interface allows it.
As far as I am concerned, LG should have a list of approved routers/configs purely based on this apparent inability to work outside a firewall but the phone company tell me that this isn't the case.
I have already asked the company that manages the line/Cisco whether or not they would be prepared to alter the Cisco from a bridge to a router, put in all the relevant firewall rules and let that act as the firewall for the IPECS, purely so I can take the Draytek out of the picture and wash my bloody hands of it all, not that the client will let me get away that easily........
My questions are:
Does anyone on here know the IPECS systems?
If so, do they really have no ability to router via WAN/LAN setup with a secondary interface card?
I am right in saying that putting SIP servers behind firewalls should be avoided whenever possible?
That is about it I think, sorry for the waffle....
Nick.
Last edited:
