IP PHONE DEPLOYMENT PART 6 OF 6
Table Of Contents
6 – Avaya Phone Remote Worker VPN Client Firewalling
Avaya Phone Remote Worker VPN Client Firewalling
11xx series built-in VPN client
IP Deskphones Fundamentals, Appendix H (NN43001-368)
- CS1000 Call Server, Signaling Server & Media Gateways (MGCs/VGMCs)
- Avaya CS1000 IP Phone, 1120/1140/1150/1165, UNIStim 4.2 (C7M) or later
- Secure Router 2330 version 10.3.2 or later, or
VPN Router 1750, 2700, 5000 version 3.2 or later, or
VPN Gateway 3050, 3070 version 7.0 or later
VPN Wizard Tools, Listening Mode, Peer-to-Peer Configuration Mode
- Boot phone
- At “Avaya” text on IP Phone display
- Mute + 5 + 6 + Mute
- A 15 minute timber starts, if configuration is not completed within 15 minutes the process must be restarted.
- 802.1Q is disabled while in listening mode. Phone must be rebooted to re-enable 802.1Q.
- Launch VPN Wizard Tools & configure IP Phone
The Contivity VPN Client requires a license from Avaya in order to operate beyond the 30 day trial license built-in to every phone. Once the trial license expires, a license file must be loaded to continue operation. The license file is valid for a limit time (e.g., a one year license), and the license expiry is contained within the license file (which is an XML file— the license is contained within the
NOTE: There is no warning about pending license file expiration, so the administrator must mark on their calendar the expiration date and make sure to acquire and load a new license file to prevent service interruption.
- Administrator must allow the appropriate TCP/UDP ports through the firewall (WAN >> VPN) for the Contivity client to connect.
- Administrator must allow traffic from the VPN client to the CS1000 equipment (i.e., TCP/UDP control and/or IP range control.)
The installer and administrator should review the VPN router’s support for QoS. The SR2330 does not support 802.1q or 802.1p QoS prioritization (no DSCP or layer 2 priority bits) for ingress or egress. Prioritization should be done at the connecting ethernet switch/router.
Also, there is no QoS on the internet and the equipment is not able to overcome issues caused by internet latency, jitter or packet loss. See the Avaya CS1000 Heartbeat Troubleshooting article I posted on my personal blog for more information about RUDP (reliable UDP) heartbeat troubleshooting (especially the usiGetPhoneRudpSettingscommand for IP Phone RUDP Heartbeat configuration.)
The built-in Contivity VPN client supports TFTP/HTTP provisioning over the VPN connection. This can be used to ensure that the license file is updated before expiration.
IP Phone behind 3rd party VPN client
Installing a CS1000 IP Phone behind a 3rd party VPN is virtually identical to using the built-in Contivity client, except that the remote user must have a VPN router. Many of the principals are the same, with the key activity being to configure the VPN access rules to allow the VPN traffic from the VPN client, and to allow access from the VPN client subnet to the Avaya CS1000 equipment, plus any IP Phone subnets that exist. See Firewall considerations below for a more detailed list of access control considerations.
No special provisioning/configuration is required for the IP phone, but for most remote working environments there is no DHCP provisioning due to the lack of robust DHCP options at the remote location. Without the ability to deliver DHCP provisioning with the DHCPOFFER, TFTP/HTTP provisioning or manual provisioning is required.
A common issue that manifests for customers is when a new branch location is added, but the routing or ACL settings are not updated to permit remote users from routing or accessing the new branch location— this can result in calls without speech paths.
Considerations & potential issues
- ACL rules between IP Phone and DCHP server: VLAN or DHCP provisioning failures.
- ACL rules between IP Phone and TFTP/HTTP server: TFTP/HTTP provisioning failures.
- ACL rules between IP Phone and Signaling Server(s): Registration failures, Firmware upgrade failures, unexpected operation.
- ACL rules between endpoints (IP Phone to IP Phone, or IP Phone to Media Gateways): Media payload issues (one way speech or no speech).
- QOS rules between IP Phone and Signaling Server(s): Phone reboots due to heartbeat