Mitel Mivoice business User manual

MiVoice Border Gateway

Engineering Guidelines

January, 2017

Release 9.4

NOTICE

The information contained in this document is believed to be accurate in all respects but is not warranted by

Mitel Networks™ Corporation (MITEL®). The information is subject to change without notice and should not be

construed in any way as a commitment by Mitel or any of its affiliates or subsidiaries. Mitel and its affiliates and

subsidiaries assume no responsibility for any errors or omissions in this document. Revisions of this document or

new editions of it may be issued to incorporate such changes.

No part of this document can be reproduced or transmitted in any form or by any means - electronic or

mechanical - for any purpose without written permission from Mitel Networks Corporation.

Trademarks

The trademarks, service marks, logos and graphics (collectively "Trademarks") appearing on Mitel's Internet

sites or in its publications are registered and unregistered trademarks of Mitel Networks Corporation (MNC) or its

subsidiaries (collectively "Mitel") or others. Use of the Trademarks is prohibited without the express consent from

Mitel. Please contact our legal department at lega[email protected] for additional information. For a list of the

worldwide Mitel Networks Corporation registered trademarks, please refer to the website:

http://www.mitel.com/trademarks.

Product names mentioned in this document may be trademarks of their respective companies and are hereby

acknowledged.

MBG - Engineering Guidelines

Release 9.4

January, 2017

®,™Trademark of Mitel Networks Corporation

1About this Document ........................................................................................................................ 5

1.1 Overview .................................................................................................................................... 5

1.2 Prerequisites ............................................................................................................................... 5

1.3 About the MBG Documentation Set.......................................................................................... 5

2Supported Configurations................................................................................................................. 5

2.1 Services ...................................................................................................................................... 5

2.2 Teleworkers and Remote Offices ............................................................................................... 6

2.3 NAT Traversal for Multi-instance MiVoice Business ................................................................ 9

2.4 Secure Gateway for Broadview Networks Silhouette HKS..................................................... 10

2.5 Secure Recording Environment.................................................................................................11

2.6 SIP Trunking............................................................................................................................. 13

2.7 Daisy Chain Deployments........................................................................................................ 14

2.8 MBG in MiCollab .................................................................................................................... 17

2.9 MBG in MiVoice Business Express......................................................................................... 17

2.10 Partial Service Configurations.............................................................................................. 18

3Common Requirements................................................................................................................... 18

3.1 Administrative Access.............................................................................................................. 18

3.2 Firewalls (DMZ deployment)................................................................................................... 19

4Remote Phone Access..................................................................................................................... 20

4.1 Remote Site Requirements....................................................................................................... 21

4.2 Behavior ................................................................................................................................... 24

4.3 Firewall Configuration for Remote MiNet Devices................................................................. 25

4.4 Configuring MBG for Remote SIP Devices............................................................................. 25

4.5 Firewall Configuration for Remote SIP Devices...................................................................... 26

5SIP Trunking ................................................................................................................................... 26

5.1 Overview .................................................................................................................................. 26

5.2 Send Options Keepalives.......................................................................................................... 27

5.3 Bandwidth Requirements ......................................................................................................... 27

5.4 Resilient Trunk Configuration.................................................................................................. 27

5.5 DNS Support ............................................................................................................................ 29

5.6 Firewall Configuration for SIP Trunking................................................................................. 29

6Call Recording ................................................................................................................................ 29

6.1 Call recording vs. Local Streaming.......................................................................................... 29

6.2 Indirect Call Recording ............................................................................................................ 30

7Web Real-Time Communication (WebRTC).................................................................................. 30

7.1 WebRTC Gateway Supported Configurations.......................................................................... 30

7.2 WebRTC Architecture and Topology ....................................................................................... 31

7.3 Firewall Configuration for WebRTC Gateway......................................................................... 33

8Additional Application Requirements............................................................................................. 33

8.1 MiCollab Client v6.0+.............................................................................................................. 33

8.2 MiContact Center..................................................................................................................... 34

8.3 Web Proxy................................................................................................................................ 34

8.4 Remote Management Service................................................................................................... 34

9Additional Security Considerations ................................................................................................ 35

9.1 SIP Security.............................................................................................................................. 35

10 Traffic Shaping................................................................................................................................ 35

10.1 Overview............................................................................................................................... 35

10.2 Technical Details .................................................................................................................. 35

11 Clustering........................................................................................................................................ 36

11.1 Overview .................................................................................................................................. 36

11.2 Cluster Zones............................................................................................................................ 37

11.3 Node Weighting........................................................................................................................ 37

11.4 Additional Considerations........................................................................................................ 38

11.5 Firewall Configuration for Clustering...................................................................................... 38

12 Advanced Options........................................................................................................................... 39

12.1 Resiliency ............................................................................................................................. 39

12.2 IP Translations ...................................................................................................................... 40

12.3 Streaming Addresses............................................................................................................. 40

12.4 RTP Frame Size .................................................................................................................... 41

12.5 TFTP Block Size................................................................................................................... 41

12.6 Compression Codecs ............................................................................................................ 42

12.7 SRTP Port Range .................................................................................................................. 42

12.8 DSCP .................................................................................................................................... 42

13 Sizing Your Installation................................................................................................................... 43

13.1 Determining Line Size for Large Sites................................................................................. 43

13.2 Determine Call Equivalents.................................................................................................. 44

13.3 Determine Bandwidth Requirements.................................................................................... 44

13.4 Hardware Selection............................................................................................................... 48

13.5 Web Proxy and Remote Management Service Requirements .............................................. 48

13.6 MiCollab Client and MiCollab AWV Conferencing Requirements..................................... 48

13.7 MiContact Center Softphone Requirements......................................................................... 49

14 Virtual MBG Considerations .......................................................................................................... 50

14.1 Licensing............................................................................................................................... 51

14.2 Upgrades............................................................................................................................... 51

14.3 Host Server Requirements.................................................................................................... 51

14.4 High-Availability.................................................................................................................. 51

15 Solutions to Common Problems ..................................................................................................... 52

15.1 Changing a Cluster Node's IPAddress................................................................................. 52

15.2 T.38 Faxing Does Not Work With NAT................................................................................ 52

16 Performance Characteristics and Limits......................................................................................... 52

16.1 MBG Capacities – Device (MiNet & SIP) and Trunking (SIP) ........................................... 53

16.2 MBG Capacities – WebRTC................................................................................................. 54

16.3 Web Proxy Capacities........................................................................................................... 54

16.4 MBG System Capacities....................................................................................................... 55

17 AppendixA: Firewall Configuration Reference............................................................................. 55

1 About this Document

1.1 Overview

The purpose of this document is to describe configuration rules, provisioning, and performance information for

the MiVoice Border Gateway, and associated products in order to assist in sales and support of this product. This

information is intended for Training, Sales and Product support staff and complements other sales material and

product documentation.

Note: The Secure Recording Connector (SRC) has been consolidated into MBG. Accordingly, although this

document discusses the SRC control interface and its protocol, it does not treat them SRC as a separate

feature.

1.2 Prerequisites

The MiVoice Border Gateway application runs on the Mitel Standard Linux (MSL) Server. The reader should first

become familiar with the MSL Installation and Administration Guide and the Qualified Hardware List. These

documents are available from http://edocs.mitel.com.

1.3 About the MBG Documentation Set

Mitel documentation is available from http://edocs.mitel.com. (Note: a Mitel On-Line account is required to

access eDocs.) The following guides provide complete information about MBG:

•The MBG Engineering Guidelines (this document).

•The MiVoice Border Gateway Blade Installation and Maintenance Guide provides information about

system requirements, installation of MBG, and configuration of MBG options and firewalls.

•The MiVoice Border Gateway Online Help provides information about MBG configuration and

maintenance.

•The Remote IP Phones Configuration Guide provides information about configuring remote phones.

2 Supported Configurations

2.1 Services

MBG provides the following services:

•Remote MiNet IP Phones: The classic use of MBG, formerly known as the Teleworker Solution, permits

remote MiNet phones to securely access the corporate phone network over the Internet.

•Remote SIP IP Phones:Permits Teleworker functionality for SIP hard or soft phones over the Internet.

•SIP Trunking:Allows a corporate phone switch to connect to a SIP Trunk provider, protecting the

switch from malformed messages, unauthorized use, and various attacks, and providing an anchor point

for media streams.

•Call Recording:Formerly the Secure Recording Connector, this service allows secure recording of

phone calls by a third-party application.

•WebRTC: A gateway to support browser-based voice and video calling. This guide provides information

about the requirements and installation procedures of the MiVoice Border Gateway.

In addition, the MBG server can host the Remote Proxy Services blade to provide the following services:

•Web Proxy: end-user access from the WAN to applications hosted inside the firewall

•Remote Management Service: administrative access from the WAN to applications hosted inside the

firewall

Please refer to the Remote Proxy Services documentation for details.

MBG can be deployed in several ways depending on the services required.

2.2 Teleworkers and Remote Offices

Overview

The original design intent of MBG is to provide a Teleworker solution. Once an MBG server is installed,

extensions from the office PBX can be extended across the Internet to permit MiNet phones to work from homes,

remote offices, hotels, etc.

In this use-case, either the server-gateway profile or DMZ profile could be used depending where on the network

MBG is to be deployed. If deploying behind an existing firewall on a DMZ, then a single network interface and

DMZ profile is appropriate. If deploying beside an existing firewall, or if there is no existing firewall, then server-

gateway profile is appropriate.

Failure to follow these guidelines will result in one-way or no-way audio.

Warning: Some firewalls which use port-forwarding to simulate a DMZ are Port-forwarding Firewalls. See

the Common Requirements chapter for full details.

MiVoice Border Gateway as Internet Gateway

Mitel recommends deploying the Mitel Standard Linux server with MiVoice Border Gateway as the Internet

gateway and firewall for any enterprise without an existing firewall. Figure 2 shows an example of this

configuration using the MiVoice Border Gateway and a MiVoice Business (3300 ICP).

MBG requires two network interfaces and two addresses for this configuration. The external address must:

1. Be a static address that does not change

2. Be directly attached to a NIC on the MSL server

3. Be reachable from the public network/Internet

4. Be reachable from the internal network/LAN

5. Not be subject to NAT or behind another firewall

The interface may be configured via DHCP, PPPoA, PPPoE or similar technology, but the address it receives

must always be the same.

Warning: If the external address changes, all teleworker phones must be reprogrammed with the new

address.

Figure 1: MBG in traditional Teleworker configuration

An enterprise can take advantage of the DSL, authenticated DHCP and PPPoE/PPPoA1capabilities of the MSL

server. Additionally provides NAT for all devices at the enterprise, a stateful packet filter firewall, and optional

port-forwarding.

Note: If desired and if hardware is available, a third interface may be configured in MSL. This interface might be

useful as a dedicated interface for if a network between the MBG servers can be set aside for this purpose.

Alternatively, the third interface could be put into bridged mode on MSL 9.2+ to permit an MBG server in parallel

with an existing firewall to transparently handle all traffic from that firewall and accomplish traffic shaping. See

Traffic Shaping for full details.

Additional Trusted Local Networks

Additional trusted internal networks or subnets that require access to the MiVoice Border Gateway can be added

via the Networks panel of the server manager. This access can be limited to individual hosts, or large network

blocks can be used. In all cases, the Router property should be set to the address of the router on the subnet

attached to the MSL server's internal interface.

For example, to allow access from the single subnet 192.168.12.0/24, you would enter a network of

192.168.12.0 and a mask of 255.255.255.0 in the Local Networks panel, plus the address of the router on the

local subnet through which this network can be reached.

If the customer’s network has multiple subnets with a common prefix, access can be allowed from the prefix. For

example, if the customer uses various subnets within the 192.168.0.0/16 network, enter a network of

192.168.0.0 and mask of 255.255.0.0 in the Networks panel, and allow the local router to determine the routing

to the individual subnets.

In addition to providing application access control, the Networks panel can also be used to add static routes.

Note: The Networks panel is a feature of MSL. Refer to the MSL documentation for a full description of its

capabilities.

MiVoice Border Gateway in a DMZ

1Limited support is provided for PPPoA. Mitel recommends the use of a D-Link DSL 300T modem at the enterprise site if PPPoA

connectivity is required in gateway mode. Configure the modem to provide DHCP on the internal interface, and use DHCP on the MSL server

to configure the public interface. The modem acts as a bridge. Note that PPPoA routers that provide NAT will not work here.

Figure 2: MBG as Internet Gateway (no enterprise firewall)

The MiVoice Border Gateway can also be deployed behind a customer-provided or customer-managed firewall

as shown in Figure 3. This firewall must have 3 network interfaces (ports): WAN, LAN, and DMZ. Two-port

firewalls are not supported. It should also be noted that some “DSL routers” with “DMZ” port forwarding are

simply two-port NAT devices and should be treated as any other two-port firewall. Deployment of the MiVoice

Border Gateway behind such devices is not supported.

MBG requires one network interface and two addresses for this configuration. The interface must be configured

with a static address allocated from the DMZ network range. This is typically an RFC 1918 “private” address. The

enterprise firewall must be configured with an address allocated from the public/Internet range. This address

must be:

1. reachable from the public network/Internet

2. reachable from the internal network/LAN

3. able to reach the internal network/LAN

4. preferably dedicated solely to MBG, but also see Port-forwarding firewalls

2.3 NAT Traversal for Multi-instance MiVoice Business

In a multi-tenant Multi-instance MiVoice Business install, it is possible to find tenant sites with overlapped

network ranges, and without NAT at the customer edge network. In this case, MBG can be used to perform

between the tenant sets and the Multi-instance MiVoice Business solution.

Fig

ure 3: MBG deployed in a DMZ

2.4 Secure Gateway for Broadview Networks Silhouette HKS

The Broadview Networks hosted key system provides service to various tenants across leased lines, MPLS

circuits, or the Internet from a common carrier. Customers are provided with either MiNet or SIP sets, and the

MBG acts as a Session Border Controller for both protocols. DNs are unique within each tenant but may overlap

between tenants.

Note: Please contact Broadview Networks to determine which MBG versions are compatible with silhouette, and

for all support inquiries.

Figure 4: MBG providing NAT traversal for Multi-instance MiVoice Business

2.5 Secure Recording Environment

When MBG is provisioned with call recording licenses, it can provide a secure man-in-the-middle for call

recording. This mode is supported only in a LAN environment.

It is advisable to disable MiNet restrictions on the MBG server providing call recording service, as having all LAN

sets authenticate through MBG is likely not required.

Teleworker sets connected through an MBG at the network edge can be recorded as well, by configuring the

edge MBG such that the desired sets point to the LAN MBG as if it was an ICP.

MBG Deployed on the LAN for Call Recording

When possible, Mitel recommends deploying the MBG call recording server on the same LAN segment as the

ICP(s) with which it will be working. However, it is often practical to use a separate segment if not all devices

should be recordable.

Figure 5: MBG as a Gateway for Broadview Networks silhouette

Figure 6 shows one sample configuration that could be used. IP phones that are to be recorded are on the same

LAN segment as the MBG server. DHCP is enabled in MSL, and MBG provides DHCP configuration such that

the sets use the MBG server as their TFTP server and as their ICP. MBG then proxies the set registrations to

the real ICP on the other segment. Sets on a different LAN segment using the MiVoice Business DHCP server

connect directly to the MiVoice Business and are therefore not recordable.

As an alternative to changing the network topology, each set that should be recordable can be individually

programmed to connect to the MBG. Hold down the “7” key and put each set into Teleworker mode. At the

prompt, enter the IP address of the MBG.

MBG servers can be chained together to allow recording of remote teleworker phones. Figure 7 below shows an

example of a teleworker set connecting through the edge MBG to an MBG server for call recording (and finally to

the MiVoice Business), so that it can be recorded along with the sets on the Recorded LAN. To configure this

scenario, an “ICP” entry is added to the edge MBG containing the IP address of the LAN MBG used for

recording. All remote sets that should be recordable must be configured with that “ICP”. The recording MBG will

then proxy the remote sets to their real ICP.

Note: CIS softphone (MiContact Center) can function properly in this configuration. However, only the signaling

and voice should be proxied through the call recording MBG. Additional applications protocols should be proxied

directly from the edge MBG to the CIS server.

Warning: This is the only supported way to have both teleworker sets and call recording of LAN sets.

Combining teleworker service and call recording of LAN sets on a single server is not supported.

2.6 SIP Trunking

MBG introduced support for SIP trunks in release 5.1. The SIP trunk is established from the MiVoice Business

to the SIP trunk provider, using MBG as a SIP-aware firewall and proxy, as shown in Figure 8 below. MBG's

SIP trunk service provides:

•NAT traversal of media and signaling

•Media anchoring for the remote provider, regardless of the internal device

•SIP adaptation and normalization to improve interoperability

Figure 7: Recording teleworker sets

•Protection from malformed & malicious requests, various types of attack, and request flooding

When providing SIP trunk service, MBG can be deployed either in the DMZ of, in parallel with, or in place of an

existing firewall.

Some of the key benefits of using SIP trunks are:

•consolidation of capacity; all trunks come to one location, calls routed to branch offices over MPLS or

VPN links already in place

•increased simplicity for bandwidth management

•local phone numbers from anywhere in the world to permit customers to reach the company in question

easily

•cost savings over PRI/T1/POTS lines

•increased resiliency with the potential for disaster recovery configuration

2.7 Daisy Chain Deployments

“Daisy Chaining” is a technique of pointing one MBG at another that can work around certain bandwidth and

routing restrictions. The servers are configured such that all traffic between the sets and ICPs traverses all MBG

servers in series, like following links in a chain.

A “Daisy chained” MBG is one that is configured to accept all incoming requests (authentication is disabled) and

pass them “upstream” to another MBG, where the standard authentication is performed.

Note: In this context, “upstream” refers to the direction approaching the ICP on the LAN.

Warning: Daisy-chaining is only supported for MiNet phones. SIP phones, SIP trunking and remote applications

such as MiCollab Client are not supported with MBG daisy-chain deployments.

The two main applications of daisy-chaining are to comply with certain IT deployment policies and to reduce

bandwidth for remote sites.

Special IT Policy Deployment

Daisy chaining the DMZ MBG server to a LAN MBG server minimizes the scope of the firewall rules required to

facilitate communications between them. The firewall administrator can permit traffic only between those two

servers instead of across the entire LAN where sets may be located.

This configuration places the downstream server in the DMZ and the upstream server on the LAN. The servers

should use the network profiles of DMZ mode and LAN mode, respectively.

Note:Authentication should be disabled on the downstream (DMZ) server, and adds/changes should be made

only on the upstream (LAN) server.

Reduced Bandwidth for Remote Sites

If MBG is providing access for a remote office environment where the users often call one another, an MBG

server can be provided on site and daisy chained to the MBG server at the main office. This is not needed for

MiNet to MiNet calls behind the same remote NAT because the MBG local streaming feature will handle that

case. However, this deployment can be used to keep MiNet to SIP calls in the remote office. This configuration,

illustrated in Figure 10, can save bandwidth on the link between the remote and main offices.

Figure 9: Daisy-chained MBGs for enhanced security

The upstream server can be deployed in either a Gateway or a DMZ configuration.

Warning: Management of all remote office sets must be done on the upstream (main office) server only.

When the downstream server is put into mode, it will automatically disable all MiNet and SIP connection

restrictions, and pass all connection attempts up to the upstream server for authentication.

The remote office (downstream) MBG can also be configured for either a Gateway or DMZ deployment. Note

that there is no restriction on the location of the remote office sets; they do not have to be on the LAN. It may be

desirable to configure certain teleworker sets to connect to remote office MBGs (rather than the main office

MBG) in order to cause direct of those teleworkers' calls to sets in the remote office. This case requires Local

streaming to be enabled on the upstream (main office) server.

It is even possible to deploy multiple downstream MBG servers at different remote offices. If upstream (main

office) server has Local Streaming enabled, calls within each remote office remain local to that office: signaling

still flows back to the main office, but voice streams for calls between offices will only traverse the path between

the two MBGs. This minimizes bandwidth use on the main office's connection.

Figure 10: Daisy-chained MBGs to save bandwidth

Caveat: All MBG servers in the daisy chain must be at the same release.

Refer to the MBG Installation and Maintenance Guide for a full description of setting up ing.

2.8 MBG in MiCollab

There are two supported deployments of MBG in MiCollab: on the LAN and on the network edge (Gateway

mode). Deployment in the DMZ is not supported.

MiCollab on the LAN

The safest way to deploy MBG is to leave MiCollab and its applications on the LAN, and deploy a second server

running MBG (either standalone or single-app MiCollab) in the DMZ or in Gateway mode at the network edge.

Remote access to the LAN MiCollab can be provided via on Internet-facing MBG. If centralized management is

desired, the two MBG applications can be clustered. All changes made on the LAN server will be reflected on the

edge MBG. Refer to the MiCollab documentation set for details on clustering MBG with MiCollab.

MiCollab on the Network Edge

Although Mitel recommends the dual server approach for maximum security, a single MiCollab server with all

applications can be deployed in Gateway mode at the network edge. In this configuration, all administrative and

end-user web interfaces and all services are directly reachable from the public network; is not required to reach

them.

2.9 MBG in MiVoice Business Express

The MiVoice Business Express product combines MiCollab and MiVoice Business on one virtual machine. Refer

Figure 11: Multiple downstream MBGs

to the MiVoice Business Express Deployment Guide for a description of supported MiVoice Business Express

configurations.

Support for an additional MBG deployment configuration is introduced for MiVoice Business Express

environments only because of specific IT constraints imposed by some cloud providers. For MiVoice Business

Express deployments only, MBG in server-gateway behind an existing firewall is supported with the constraint

that phones must not connect to the MBG from the LAN side of the firewall. That is, this configuration is only

supported for phones connecting to the MBG WAN interface via the existing firewall WAN interface.

2.10 Partial Service Configurations

All MBG services are not available in all supported configurations. This section identifies for each MBG service

configurations where the service is not supported at the time of writing. In some cases the service may be

technically possible but not currently supported pending further testing or to reduce complexity.

MBG provides the following services:

•Remote MiNet IP Phones

◦Connecting to MBG in MiVoice Business Express is not supported for LAN phones.

◦Connecting to MBG in MiCollab on the LAN is not supported for Internet phones.

•Remote SIP IP Phones

◦Connecting to MBG in MiVoice Business Express is not supported for LAN phones.

◦Connecting to MBG in MiCollab on the LAN is not supported for Internet phones.

•SIP Trunking

◦Connecting to a SIP trunk service provider from MBG in MiCollab on the LAN is not supported.

•Call Recording

◦Connecting to MBG in MiVoice Business Express is not supported for LAN phones.

◦Recording calls with MBG in MiCollab on the network edge is not supported for LAN phones.

◦Recording calls with standalone MBG on the network edge is not supported for LAN phones.

◦Call recording is not available with MBG for the following ICP types: MiVoice Office, silhouette

•Remote Proxy Services

◦Remote Proxy Services are not available with MBG in MiCollab.

◦Remote Proxy Services are not available with MBG in MiVoice Business Express.

◦Remote Proxy Services are not available with MBG for the following ICP types: MiVoice Office,

silhouette.

•Web Real-Time Communication (WebRTC)

◦Browser-based voice and video calling using Google Chrome, Mozilla Firefox and Opera.

3 Common Requirements

This section provides general guidance common to all types of deployments and all services. Please read this

carefully.

3.1 Administrative Access

MBG provides a web-based management GUI for normal administration, log access, etc. This service can be

accessed with any of the following supported web browsers:

•Microsoft Edge 20

•Internet Explorer 9 and higher (do not run in Compatibility View)

•Mozilla Firefox 41 and higher

•Google Chrome 46 and higher

Although not officially supported, the following browsers are tested occasionally and should also work:

•Apple Safari

•Any browser using the Mozilla Gecko engine or the Apple WebKit engine

Note: the MBG GUI requires a browser that supports JavaScript. The built-in MSL text-mode browser does not

support JavaScript and cannot be used to manage MBG.

Some troubleshooting or advanced configuration requires command-line access. SSH is the only supported

mechanism to reach the MSL command line remotely. On Microsoft Windows, Mitel recommends the use of

PuTTY (a small, free SSH client). Open SSH is included with Apple Mac OS X (open Terminal and type “ssh”),

and is included with or available for most flavors of Unix.

3.2 Firewalls (DMZ deployment)

MBG can be deployed into the DMZ of most third-party firewalls. However, a compatible firewall must have

certain characteristics.

1. The firewall must provide at least three interfaces: external network, internal network, and DMZ.

2. The firewall must provide static 1:1 NAT between an externally-visible address and the DMZ address of

the MBG server.

3. The public address used for MBG must be a static IP address visible from the external network

(Internet). This should be a separate address from the external IP address of the firewall, although some

firewalls that support port forwarding may allow sharing the address. It is vital that this address actually

be static as any change of the address will cause remote sets to lose connectivity.

4. The firewall must preserve the TCP and UDP port numbers in packets exchanged between the MBG

and the external network. In other words, only the address field may be changed.

For deployment in a DMZ, MSL must be installed in “server-only” mode with only a single NIC configured. This

NIC should be given an address on the DMZ network. The firewall will map between this address and the

external address used for MBG.

Details of the protocols that must be configured in the firewall are provided in Firewall Configuration. Particular

attention should be paid to the requirement that all UDP ports >= 1024 on the LAN be permitted to reach the

public IP of the MBG server.

Warning: Failure to configure the firewall properly will result in audio problems (typically one-way

audio).

Known Issues

Checkpoint “NG” Firewalls

Checkpoint “NG” firewalls (e.g. FireWall-1 NG) have a feature called “Smart Connection Re-use” that may

interfere with older MiNet sets and some SIP sets that use a fixed source port for their outgoing connection. The

feature should be disabled with older sets or if set connections to the MBG server cannot be maintained.

It is not a problem with newer sets that randomize the source port used for each new connection.

Port-Forwarding Firewalls

Other manuals for MiVOICE BUSINESS

Table of contents

Other Mitel Gateway manuals

Mitel

Mitel 3300 Operator's manual

Mitel

Mitel Mediatrix Model M Manual

Popular Gateway manuals by other brands

Huawei

Huawei HG255e quick start

Honeywell

Honeywell Lyric LCP300-L User reference guide

Grandstream Networks

Grandstream Networks HT812 Administration guide

Endress+Hauser

Endress+Hauser FieldGate SWG50 operating instructions

IFM

IFM ZB0929 operating instructions

RTA

RTA 460ECPS-N700 Product user guide

ORiNG

ORiNG RDS-3086 user manual

ATX

ATX UCrypt IP2Q quick start guide

ITS Telecom

ITS Telecom CGW-D Installation and operation guide

Nortel

Nortel 1000 Con?guration guide Pre-installation instructions

Artila

Artila Aport-213 user guide

Huawei

Huawei HG532D user guide

Nexo

Nexo FXS-128s user manual

ZyXEL Communications

ZyXEL Communications ZyXEL ZyWALL 50 Specifications

ICP DAS USA

ICP DAS USA GW-7553-B user manual

Avaya

Avaya G450 Manager Overview and Specification

Juniper

Juniper SSG 500M Series Hardware installation and configuration guide

Milesight

Milesight UG63 user guide

Mitel MiVOICE BUSINESS User manual

Popular Gateway manuals by other brands