Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » Port Forwarding (Kerio Operator behind Firewall)
  •  
sigfrido@netatwork.it

Messages: 19
Karma: 0
Send a private message to this user
Hello, we have several clients with Kerio (Appliance) behind firewalls, we normally assign a static NAT from the Kerio internal IP to one of the public address that we have available. This way everithing works just fine. BUT we have another client who has only 4 IP (that is, a 255.255.255.252 mask). I was wondering if i can use port forwarding for this particular case. Thanks in dvance
Sigfrido
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi

That shouldn't be a problem. Please note that although such network has 4 IP addresses, only two of them, the middle ones, are usable for network devices. The other two (first and last) are network and broadcast addresses.

Filip
  •  
sigfrido@netatwork.it

Messages: 19
Karma: 0
Send a private message to this user
HI FIlip,
yes, that is exactly the problem, we have to use the two middle IPs for router and firewall so we can't map another ip to the Operator itself.
So which port do we need to forward to the Kerio appliance? TCP/UDP 5060 for sure... what else?
ty very much for your help
Sigfrido
  •  
Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
Send a private message to this user
See http://kb.kerio.com/product/kerio-operator/server-configurat ion-kerio-operator/configuring-nat-821.html

In addition to TCP/UDP 5060, you need to map TCP 5061 (secure SIP) if you use the Kerio Operator Softphone or another phone that supports encrypted calls. You also need some range of UDP ports for RTP (this should match the RTP range configured in Operator's network settings).
  •  
steinham

Messages: 198

Karma: 7
Send a private message to this user
Hi,
it depends on your needs... Smile

By default there are: HTTP and HTTPS (client acces and admin redirect), Operator WebAdmin (TCP/4021), SIP (UDP/5060), SIP TCP (TCP/5060) and SIP TLS (TCP/UDP/5061).
Maybe also TFTP, SNMP and some dynamic ports used for RTP (see Conf. -> Network -> General tab).
Of course services which will not be used leave closed.

Hope that it is all...

Martin

______________________________
Martin Steinhauser
tester
Kerio Technologies
  •  
sigfrido@netatwork.it

Messages: 19
Karma: 0
Send a private message to this user
Many thanks to both of you.
We will setup this config and let you know if it works as espected
have a nice day Smile
Sigfrido
  •  
Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
Send a private message to this user
Hi,

I need to correct Martin. You should not expose TFTP to the outside.

BTW, do you need to access this Operator instance from the outside? If the answer is no, you do not need to map anything (unless the SIP carrier requires you to have a public IP address).

[Updated on: Wed, 10 February 2016 10:04]

  •  
sigfrido@netatwork.it

Messages: 19
Karma: 0
Send a private message to this user
Hi Filip
yes of course TFTP would be a bad idea, too dangerous...
regarding accessing the Operator instance from the outside (eg for maintenance) we usually do it on vpn so no need to map ports.
But our ISP requires a public static ip adrress (for security) so we will need to map SIP and RTP minimum i think.
So our firewall will forward those ports to the appliance, and the appliance will go out using the firewall IP.
I will let you know if it works Smile
  •  
sigfrido@netatwork.it

Messages: 19
Karma: 0
Send a private message to this user
Hi guys,
The configuration with port forwarding works perfectly except one thing.
I can't register a SNOM D715 from a remote location both behind a NAT or directly with a public ip address. I see the packets pass through the Firewall on server side, but i have no trace of the connections on my Kerio server. The phone log simply reports this:

Apr 14 16:55:36 [WARN ] SIP: transaction_timeout udp: 1000017 (32000)
Apr 14 16:55:36 [ERROR ] SIP: transport error: 1000017 -> udp:185.139.28.62:5060
Apr 14 16:55:36 [NOTICE] SIP: Add dirty host: udp:185.139.28.62:5060 (0 sec)
Apr 14 16:55:36 [ERROR ] SIP: request 1000017 destination invalid udp:185.139.28.62:5060 313436303634343130383337313236-469pw0gsq5fm
Apr 14 16:55:36 [NOTICE] SIP: final transport error: 1000017 -> udp:185.139.28.62:5060
Apr 14 16:55:36 [ERROR ] SIP: transport error 1000017: generating fake 599
Apr 14 16:55:36 [ERROR ] SIP: Registrar 740<_at_>185.139.28.62 timed out

Any ideas?
thanks in advance
Sigfrido
Previous Topic: Trouble calling 112 - Dutch
Next Topic: Issue with routing calls to call queues on ISDN 30
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Jun 24 16:01:32 CEST 2017

Total time taken to generate the page: 0.00427 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.