Port forwarding diagnostics and security considerations

Ports to forward/open

All of the following ports MUST be forwarded to the internal IP address of your trixbox Pro in order to use IP Phones or HUD remotely!  Unless, of course, you know you don't use linked servers (skip port 4569 if so).

1. 5060 UDP - SIP registration, used by remote phones and VoIP carriers.
   (initiate, pick up, and end calls - call signalling and setup/teardown)
2. 10000-20000 UDP - RTP voice traffic.
   (audio travels over a randomly selected pair of ports in this range)
3. 5222 TCP - HUD3, used by remote HUD3 clients.
   (5269 TCP is additionally used for external chat contacts and linked servers)
4. 4569 UDP - IAX2 registration and audio, for linked servers.
5. 4000-4031 UDP - only if you have HUDMobile.  Used by remote HUDMobile client softphones.
6. 443 TCP - only if you have HUDMobile.  Used by remote HUDmobile clients.
7. 8997 TCP - only if you have HUD screen sharing

For remote phones, remote HUD, and VoIP providers to work, these ports must be forwarded.  Remote traffic hitting the public IP address of the router or firewall needs to be forwarded to the internal IP address of the PBX on the local area network.

Otherwise, remote phone traffic and VoIP providers will not be able to consistently reach or send calls to the PBX sitting behind your router or firewall.

NOTE: when performing port forwarding on your network, be sure to only allow trusted sources! Allowing untrusted sources can result in unsolicited registrants to your system.  See Security Considerations below.

Outbound ports that must be allowed

Some enterprise-class firewalls block outbound traffic by default unless specifically allowed.  The PBX connects outbound on the following ports. 

Do not forward these ports*, but traffic should be allowed outbound (originating from the PBX) for:

• 53 TCP/UDP - DNS, or Domain Name Service.  Used for resolving hostnames such as "vpn1.fonality.com".
• 80 TCP - HTTP.  Required for the PBXtra to determine its public IP address, and download updates/patches.
• 123 TCP/UDP (both) - NTP, or Network Time Protocol.  Used for time and date settings.
• 443 TCP - HTTPS.  HUD clients primarily use this when first setting up their username.
• 8000 TCP - VPN tunnel.  Required by the Web Admin Panel - the PBX establishes a couple of SSH VPN tunnels back to the Fonality datacenter on this port.
  (some larger firewalls block outbound traffic on TCP port 8000 unless you add an exception.)

Tip: if your outbound firewall rules say "allow all", you shouldn't need to add specific allow rules.

*-With the exception of 443, which may be required for remote HUDmobile users - if you use HUDmobile.

Inbound ports that must not allow unsolicited inbound connections

The following inbound ports should not be forwarded.  Or at worst, they should be restricted to a very narrow range of IP addresses (use whitelists).

• Don't forward: 21 FTP.
• Don't forward: 22 SSH.
• Don't forward: 69 TFTP.
• Don't forward: 80 HTTP.

Don't expose phones to the Internet.  At a minimum, Internet access to TCP port 80 (HTTP) on the phone must be blocked.

Security considerations

When opening or forwarding ports, there are some security considerations to keep in mind.  These are guidelines - Fonality does not manage your network security - but these tips cover most common attack vectors.

1. Don't forward port 22 SSH.
   If port 22 is forwarded to the PBX without IP restrictions, it will be subjected to thousands of brute-force username/password combination attacks per second.  Fonality disables root password login on port 22 by default (unless someone has set a root password), but it should not be exposed in any case.  If you need to log in on port 22, restrict it to only certain specific remote IP addresses, and use a strong password (many hacked servers thought they had a strong password).
    
2. Enable SIP brute force detection.
   (requires PBX software version 2010.1.20+)  We recommend enabling this on the Web Admin Panel under the Options: Settings tab.  For example: after 20 incorrect attempts, block the IP address for 1 hour.  This should at least cut down on people blocking themselves out because they typed their softphone password wrong, but most brute-force attacks will block themselves in under a second.
    
3. Whitelisting - only allow certain IPs to connect to port 5060 SIP.
   If your router/firewall supports it, restrict what IP addresses can connect to SIP port 5060 (UDP). 
   Admittedly, this may not be as practical if you have remote users on dynamic IP addresses, but consider whitelisting their ISP.  Then IP addresses from another ISP or country can't try to break in.
    
4. Avoid placing the PBX in a DMZ. 
   We do not recommend placing the PBX, a phone, or any server in a de-militarized zone, as a DMZ exposes all running services on it to potential attack.  It's sometimes useful for troubleshooting phone registration issues, but should not be used in a production environment.
    
5. Don't forward ports you don't need. 
   A common sense rule - for example, if you know you don't use a VoIP carrier and all of your phones are on-site, it shouldn't be necessary to forward port 5060.
    

Can I still contact Fonality Support for help?

Of course!  However, Fonality's mission as a company is to make technology easy.  Fonality believes that phone systems should not be complicated or take years of training and multiple certifications to administrate. 
 

What is 'port forwarding'?

Imagine you have a business operating out of your own home.  The law in most places states that you must have an entrance separate from the front door for customers visiting your home office.  It helps to keep your personal and professional lives separate and protects your privacy.  Within your network, port-forwarding accomplishes a very similar function: pass all traffic destined for the trixbox Pro directly without mixing in any other traffic.  By explicitly defining a rule within your router that forwards all information on a certain port (or ports) to your trixbox Pro you are essentially creating that entirely separate entrance as in the home office example.
 

What are "SIP ALG" "SIP FIXUP" and other SIP-Services on my Router/Firewall?

All of these things typically do more harm than good.  Ask the customer to disable any of these settings within their router or firewall.  Read this article for in-depth information.  See the malformed-packet section below for detailed information on what this is and how to fix it.
 

Run the test (deprecated)

This test has been discontinued for the time being.  We don't have an E.T.A. for its return at this time.

For historical reference / servers that still have the test page visible (although I don't guarantee that it will report correctly):

1. Click on Status --> diagnostics
2. Wait for the tests to complete
3. If all tests fail, yet you have registered remote users, the testing tool may be down for maintenance.

Why is the Status: Diagnostics information useful? (deprecated)

Until now, customers had only a single resource for information regarding remote phone and HUD issues: Fonality Support.

With the old Status --> diagnostics page, customers could automatically detect and view steps to resolve remote phone registration/audio issues and remote HUD issues.

That being said, one can have a remote coworker attempt to register a phone (be sure to add the "x" after the Server ID - see Remote Phone Directions), and if that's unsuccessful, after a few tries, ask Fonality Support if they can check.