Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » Connecting from outside local network - Snom 870 behind NAT
  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
HI,

For the first time I am trying to connect a Snom 870 from a home network to the office Operator.

The home network is a basic DSL account using NAT.

The office Operator has a real IP address and is not behind NAT.

Operator softphone client on iPhone works fine from the home network.

I have marked the extension as 'Behind NAT' in Operator, but the Snom 870 will not connect. I can see nothing in the logs on the server.

The phone was provisioned and worked well at the office. The DNS addresses to Operator are the same in/out of the office (split-horizon DNS).

Is there something specific I need to set on the handset?

Thanks,

ft.
  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
If the phone was automatically provisioned, then it won't work outside the network unless you have a VPN tunnel. The best option is to manually provision the phone.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
I have set Settings > Advanced > Update > Update policy to Never Update, do not load settings.

Identity 1 is configured correctly for the user.

I still get nothing on the server logs to show the phone is reaching out.

Do any specific changes need to be made on the phone now it is behind NAT?

Thanks,

ft.
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi,

once you change the identity 1 settings to point to the correct IP address, it should start working. I am not aware of any other settings to update.

Also make sure that the built-in firewall in Operator is not blocking access to SIP (port 5060).

Make a packetdump to analyze that the phone sends REGISTER requests to Operator.

Filip

[Updated on: Thu, 07 May 2015 07:57]

  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
When I use portscan to scan ports 5060 and 5061 on operator I see only

Quote:
Open TCP Port: 5061 sip-tls
Port Scan has completed...


There is no mention of 5060. Are you blocking port scanning on 5060 on Operator?

In Configuration > Network > Firewall > SIP, All IP Addresses is selected.

Thanks,

ft.

[Updated on: Thu, 07 May 2015 20:55]

  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
Any chance this could be a router problem?

I am testing the remote handset via a Motorola NVG510 with software 9.0.6h2d45.

Thanks,

ft.
  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
You indicated that Operator is directly connected to the Internet with no NAT, so I don't expect there to be any firewall or routing issues. Usually port 5060 is only open for UDP so it may not show up on port scans. Have you tried configuring a software client such as Zoiper? At least you'll know that remote registration works and you can rule out any networking issues.
Have you tried to factory reset the phone and configure it manually?

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
Quote:
Have you tried configuring a software client such as Zoiper?



Not yet, but I can try Zoiper.

FWIW, Operator softphone on iPhone works behind the remote router (over WiFi). Does that count?

Quote:
Have you tried to factory reset the phone and configure it manually?


Not yet. Have been using the settings as provisioned to the phone via the office network with Operator - it worked in good order at the office.

I will try and reset the phone completely later today.

b.
  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
I tried Zoiper on a remote laptop this afternoon.

I just get:

2015-05-08 17:59:00: Registering account '509p2<_at_>phones.myco.com' failed, protocol_code: 408, cause_code: 102 (recovery on timer expiry).
2015-05-08 17:59:40: Registering account '509p2<_at_>phones.myco.com' failed, protocol_code: 408, cause_code: 102 (recovery on timer expiry).
2015-05-08 18:00:28: Registering account '509p2<_at_>phones.myco.com' failed, protocol_code: 408, cause_code: 102 (recovery on timer expiry).


I have tried using passthrough to put the laptop in the DMZ but get the same results.

I am using ATT as a service provider and their UVerse service. UVerse can be configured by ATT to offer VOIP... could that be interfering?

I even paid $49 for a support call with ATT this afternoon but they could not help beyond port forwarding port 5060 on the router.

Thanks,

ft.
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
AT&T *may* be a problem. I've recently worked with 2 customers/partners that had issues.

Ken Snyder
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Please make a packetdump while Zoiper is running to check that SIP packets arrive to Operator.

  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
Using packet dump I do not see any packets arriving at the server when Zoiper tries to connect from remote site using ATT UVerse.

Zoiper can connect in good order from the DMZ at the office, and from the LAN at the office.

From an ATT UVerse network, Telnet to port 5060 does not connect... it just shows 'trying'.

Telnet to port 5060 connects in good order on other networks.

This appears to be a UVerse issue. Apparently UVerse uses SIP-ALG on port 5060 and do not allow it to be deactivated. Will try and find more info.

ft.
  •  
fishtech

Messages: 598
Karma: 14
Send a private message to this user
My paid support call to ATT was fruitless.

I discovered SIP-ALG "may or may not" be active on port 5060 on their Motorola NVG510 routers. They would not confirm or deny. ATT does not permit SIP-ALG to be configured by consumers in any way.

Looking for a workaround... can Operator be configured to offer SIP on a port other than 5060?

Thanks,

ft.

[Updated on: Tue, 12 May 2015 17:10]

  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Not easily, port 5060 is hardcoded in several components.

It might be possible to configure your gateway to forward a higher port to the Operator's 5060.

Another option is to configure your client to use TLS instead of UDP. Operator listens for TLS connections on port 5061.
fishtech

Messages: 598
Karma: 14
Send a private message to this user
Unfortunately 5061 seems broken also on uVerse.

I can connect using Zoiper on 5061 when in the office DMZ.

When on uVerse I can make a telnet connection to 5061 (unlike 5060) but Zoiper will not connect.

One thing I do not understand in all this is how the Operator softphone app for iPhone will work on uVerse. Does it have a different method of connecting to the server?

ft.

[Updated on: Wed, 13 May 2015 16:50]

Previous Topic: Operator 2.4.0 - Network changed to DHCP on upgrade
Next Topic: WiFi remote phone
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Mar 23 03:16:40 CET 2017

Total time taken to generate the page: 0.01231 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.