Topic: Need some help

[edb]

I have just set up the latest SAIL-SME7.3 stable on a VMWare VM in Server Only mode and created a couple extensions for use with the Xlite softphones. On the local network I have no problem registering the extention however, I cannot seem to register an Xlite softphone that is at a remote location behind it's own firewall.
I have port forwarded UDP port 5060, and 10000-20000 at the main site to the internal IP of the PBX server and I have also port forwarded at the remote end to the PC with the softphone but it just gives me "Registration error: 408 Request Timed Out" no matter what I try.
I have the remote softphone SIP account settings configured with Username=5004 Password=password Authorization User Name=5004 Domain=IP of Main Site Firewall (which forwards to internal IP) and I have clicked the "Register with Domain" and "Send outbound via Domain" but cannot get it to work.
If I do a port scan at either end it showns the ports as "Stealthed" so that should be fine.
Is the SME server configured to allow these access to these ports for other than the internal network?
Or is there something I must do to allow external clients to register?

Thanks in advance

-edb

[SARK devs]

Have you set the location in the extensions edit panel to "remote"?

Have you set the correct external ip address in Globals?

You should NOT need to do any port forwarding at the remote end as long as your Xlite terminal is behind a regular NAT'ed firewall. 

You SHOULD port forward 5060 and 1000-2000 (UDP!!) to SARK from your local firewall.

SARK automatically opens 4569(IAX2), 5060(SIP) and 10000-20000(RTP) in the SME firewall.  You can check like this...

Code: [Select]

[v@v]# /etc/init.d/masq status | grep 5060
ACCEPT     udp  --  0.0.0.0/0            192.168.1.210       udp dpt:5060
You can watch the packets with tshark if you want (you'll need to yum install wireshark if you haven't already got it).

Code: [Select]

tshark -R sip -i eth0 -f "host {address of the Xlite box}"

Kind Regards

S

[edb]

Thanks for the quick reply S.

I have checked and the server does have port 5060 open just as you indicated.

I did change the ports that I have forwarded to UDP 1000-2000 as you indicated but I wasn't sure if that was a typo as I did have ports 10000-20000 open previously.
My extension is set to "remote" and in the Globals I have the external IP set to the Firewall's external Internet IP but I even tried the SARK server internal IP but nothing worked in either configuration.

So even after chaging the forwarded ports to UDP 1000-2000 I still get the "Registration error:408" and I cannot connect.

Thanks for your help ...

-edb

[SARK devs]

sorry - it is a typo - it should be 10000-20000.

You might want to simplify your set up by first connecting locally to the PBX.  This at least removes one level of uncertainty.   

Kind Regards

S

[edb]

Ok, then I did have it setup correctly to begin with.
I can connect locally without an issue. I just cannot connect from out side the LAN such as from my home softphone which is behind a NAT router.

-edb

[soprom]

You seem to have 2 types of potential problems: Xlite softphone and vmware network interface.

Isn't there a special port ( like 27xx) to forward for this x-lite phone?

You might also want to forward something else (like tcp:8080 -> tcp:80) to the server in order to confirm that it can hear from outside the LAN.

[PWDasterisk]

SIP has very poor native NAT support so X-Lite can be tricky depending on the firewall's NAT implementation. I've tested various remote SIP topologies using X-Lite and have found the following to generally work:

1) Follow "SARK devs" advice on SAIL setup and the SIP firewall port forwarding.

2) X-Lite should be setup as follows:
>Under "Account" tab =>
  User Details> Domain=FQDN or IP Address,
  Domain Proxy> "Register with domain and receive incoming calls" should be selected
  Send Outbound via: "target domain" should be selected

>Under "Topology" tab =>
   Firewall Traversal =>
     IP Address >" Discover global address" should be selected,
     STUN Server > "use specified server: stun.counterpath.net"
     "Enable ICE" should be selected

>Under "Advanced" tab =>
  Advanced Options > "Use rport" should normally be selected BUT
  I've found cases where NOT selecting it was necessary due to NAT symmetry

In one instance a found a Sonicwall firewall that had it's own built in "Enable SIP Transformations" option which had to be disabled because it was modifying SIP headers so make sure you check all your firewall's rules and options pertaining to NAT and Services.

"soprom" is correct in the fact that you are adding another firewall and NAT traversal between you and the outside world by running Asterisk/SAIL on a Virtual Machine.

I regularly use X-Lite for remote phones with video support and have no problems once the setup is tweaked to compensate for firewall and NAT variations.

[edb]

Thanks for the input PWDasterisk and Soprom but I did everything you indicated here including checking the Sonicwall firewall for the "Enable SIP Transformations" but it was not enabled anyway. There may just be a variable as suggested by using the Virtual Machine and it's like finding a needle in a hay stack.
I finally just gave up ... I may revisit it at some other time but it is very draining when things don't work as you know they should. Sometimes a rest is good and it is not something I absolutely need right now but my first taste of this is fairly bitter and I figure if I can't even get this to work then it surely isn't something I can just quickly throw together. Everything did work fine from the local network level but that isn't much of a challenge but the remote connections are what present the challenges.
There are a lot of very talented people here and for them it is surely a different story and more like a walk in the park.
Not totally giving up but I will put it on the shelf for a bit.

Thanks again for all the assistance though.

-edb