Print

Print


SUCCESS!

After ENA configured the firewall in this manner, and taking Robert's
suggestion of adding the :1719 port to the end of the gatekeeper address,
I'm now being prompted for a meeting ID

permit tcp any any eq h323

permit tcp any any eq 1731

permit tcp any any eq ldap

permit tcp any any eq 1503

permit udp any any eq 1719

permit udp any any eq 1718

permit tcp any any range 3230 3243

permit udp any any range 3230 3341

permit ip any host 159.105.0.73

permit ip any host 159.105.0.74


Thank you all for helping me solve this issue!



Ben Leslie
Technology Manager, BVSU
P: 802-375-2589 ext. 144
P: 802-375-6409 ext. 217


On Tue, Dec 16, 2014 at 3:56 PM, Ecklund, Morgan <[log in to unmask]
> wrote:
>
>  My Pleasure, I only wish I had the Mad skills of Paul Garstki I would
> have 5 ways to tell them how to fix it…
>
>
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* Leslie, Ben [mailto:[log in to unmask]]
> *Sent:* Tuesday, December 16, 2014 12:38 PM
>
> *To:* Ecklund, Morgan
> *Subject:* Re: LNV Connection Issue
>
>
>
> Morgan,
>
>
>
> Thank you for all your wonderful help.  I am going to pass this email
> right on to ENA.
>
>
>
> Thanks
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Tue, Dec 16, 2014 at 12:36 PM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> OK Well when you do get a chance.
>
> Can you check with ena and confirm that the Firewall is set for “stateful
> OUTGOING connections both UDP and TCP”?
>
>
>
> I did a traceroute from the gatekeeper
>
> I am not worried about the timed out at the end just the path.
>
> Here is what I get.
>
> Tracing route to static-6-113-5-96.ien.ada.in.ena.net [96.5.113.6]
>
> over a maximum of 13 hops:
>
>
>
>   1    <1 ms    <1 ms    <1 ms  10.240.0.2
>
>   2    <1 ms    <1 ms    <1 ms  10.246.254.210
>
>   3     2 ms     4 ms     4 ms  et1-0.obr-montpelier-1.govnet.state.vt.us
> [170.2
>
> 22.128.9]
>
>   4     1 ms    <1 ms    <1 ms  170.222.100.1
>
>   5     1 ms     1 ms     1 ms  216.238.164.9
>
>   6     3 ms     2 ms     1 ms  66-109-52-121.tvc-ip.com [66.109.52.121]
>
>   7     1 ms     1 ms     2 ms  66-109-52-126.tvc-ip.com [66.109.52.126]
>
>   8    11 ms    12 ms    11 ms  ppp-64-25-209-89.teljet.com [64.25.209.89]
>
>   9    11 ms    11 ms    11 ms  64.17.122.226
>
> 10    14 ms    15 ms    14 ms  host2.enacolo-gw.cust.sover.net
> [207.136.225.242
>
> ]
>
> 11     *        *        *     Request timed out.
>
> 12     *        *        *     Request timed out.
>
> 13     *        *        *     Request timed out.
>
>
>
> Trace complete.
>
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* Leslie, Ben [mailto:[log in to unmask]]
> *Sent:* Tuesday, December 16, 2014 11:16 AM
>
>
> *To:* Ecklund, Morgan
> *Subject:* Re: LNV Connection Issue
>
>
>
> When I turned on NAT in on the Polycom, after having ENA turn it off in
> the firewall, the polycom unit is showing this 96.5.113.6 as the IP
> address.  This IP is our main address that all traffic passes through
>
>
>
> The unit is turned off right now (I'm at a different location right now)
> and I think setting it up this way may be causing content filtering
> issues.  I'm assuming so because when it was turned on, I could not access
> an ENA page, after powering it off, I could (maybe a coincidence)
>
>
>
>
>
>
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Tue, Dec 16, 2014 at 11:06 AM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> I am reasonably confident this is an ENA firewall issue.
>
> I am 100% percent sure the return traffic is getting routed incorrectly.
>
> What is the NATed IP address you advertise?
>
> I would like to do a traceroute from the gate keeper to your IP to see
> what we get.
>
> Thanks
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* Leslie, Ben [mailto:[log in to unmask]]
> *Sent:* Tuesday, December 16, 2014 8:07 AM
>
> *To:* Ecklund, Morgan
> *Subject:* Re: LNV Connection Issue
>
>
>
> Morgan,
>
>
>
> Just tired those settings, I'm still getting the gatekeeper error when the
> system boots up.
>
>
>
> I seems to get further in the call process, the circle in the bottom left
> corner turns green and the "call dialog process" changes to scorpia
> meeting, but then kicks back to the home screen.
>
>
>
>
>
> I've confirmed with ENA that NAT config is disabled in the firewall and
> the correct ports are open.
>
>
>
>
>
>
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Mon, Dec 15, 2014 at 3:38 PM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> Sorry missed this.
>
> You should have the 159.105.0.73 still as the gatekeeper.
>
> I am pretty sure 1800 does not work anymore (one of the upgrades).
>
> Yes, to test the connection try to connect to 159.105.0.74
>
>
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* Leslie, Ben [mailto:[log in to unmask]]
> *Sent:* Monday, December 15, 2014 3:05 PM
>
>
> *To:* Ecklund, Morgan
> *Subject:* Re: LNV Connection Issue
>
>
>
> I just enabled NAT on the Polycom, I now see our public IP address on the
> bottom of the home screen (it used to show a DHCP address)
>
>
>
> So I should have the .74 address entered in as the gatekeeper under admin,
> network, h323 settings and then on the home screen try to dial the same .74
> address? where does the 1800 number come in to play?
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Mon, Dec 15, 2014 at 2:48 PM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> Hmm
>
> Enabling NAT (on the polycom) works fine form here (we are behind 2
> firewalls), but  on the firewall a 1 to 1 (static) NAT appears to cause
> issues.
>
> I am not sure what shows up when you are not registered to a gatekeeper,
> but what do you see at the bottom of the home screen (just an IP address)?
>
> You should be able to dial the 159.105.0.74 and get prompted to connect to
> a meeting press the # key  get the on screen number pad.
>
>
>
>
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* Leslie, Ben [mailto:[log in to unmask]]
> *Sent:* Monday, December 15, 2014 1:22 PM
> *To:* Ecklund, Morgan
>
>
> *Subject:* Re: LNV Connection Issue
>
>
>
> The NATing would be done on the ENA router/firewall.
>
>
>
> Maybe I misunderstood something but I thought NATing was supposed to be
> turned off here as well. I believe it's turned off on the router/firewall
> and on the polycom unit
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Mon, Dec 15, 2014 at 1:17 PM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> Just does not sound like the static NAT is working correctly.
>
> Does the NATing occur on your firewall?
>
> Can you give me the External IP address of the NAT that I can hit (tray to
> call you into a meeting)
>
> So are you using ENA for your firewall hosting?
>
> Have turned off Nat in the polycom?
>
>
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* School Information Technology Discussion [mailto:
> [log in to unmask]] *On Behalf Of *Leslie, Ben
> *Sent:* Monday, December 15, 2014 12:36 PM
>
>
> *To:* [log in to unmask]
> *Subject:* Re: LNV Connection Issue
>
>
>
> Morgan,
>
>
>
>
>
> I've tried both IP addresses.  Using the utilities within the Polycom
> unit, I can traceroute all the way to the montpelier address.  When I use
> the ping feature, both H323 and SIP fails.
>
>
>
> I'm trying to verify with our ISP/Firewall provider that all the requested
> ports are open.
>
>
>
>
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Mon, Dec 15, 2014 at 12:31 PM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> Have you tried to connect to 159.105.0.74?
>
> See what happens then.
>
> Have you tried to register from the normal DHCP Pool?
>
>
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* School Information Technology Discussion [mailto:
> [log in to unmask]] *On Behalf Of *Leslie, Ben
> *Sent:* Monday, December 15, 2014 10:25 AM
>
>
> *To:* [log in to unmask]
> *Subject:* Re: LNV Connection Issue
>
>
>
> Morgan,
>
>
>
> I'm still having issues connecting, there is still the issue with the
> gatekeeper and when I try connecting to the LNV bridge, I get this message
>
>
>
> "Your call could not be completed because the call was routed through an
> intermediate network that does not service the far site.  Contact your
> network admin for assistance"
>
>
>
>
>
> Any suggestions?
>
> Thanks
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Wed, Dec 10, 2014 at 10:15 AM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> Hey Ben,
>
> Sometimes the transformations do cause problems. If I remember correctly
> not for registrations. I think I have a document that Paul G. penned about
> this..
>
> Let me see if I can find it…. Sorry not sure why I felt like needed to add
> that pause.
>
> Here is what Paul says .. about 1 to 1 NATs and some sonicwall specific
> transformation, but all of the transformations cause issues. Usually not
> for registration though.
>
> Credit to Paul Garstki for this section..
>
> On the SonicWall, H.323 Transformations must be DISABLED. (It is enabled
> by default. Disabling it will not decrease security in any way.)
>
>
>
> You should NOT set up a NAT to the Polycom. You also do not need to open
> any incoming ports, as long as the firewall allows stateful OUTGOING
> connections both UDP and TCP (which would be the normal state). If you have
> set up a NAT, you should delete it.
>
>
>
> Make sure the settings on the Polycom are as I indicated below. You may
> want to hard reboot the Polycom with the power switch on the back.
>
>
>
> Polycom settings:
>
>
>
> Admin Settings --> Network --> IP Network:
>
> a. Use Gatekeeper: *Specify*
>
> b. Gatekeeper: *159.105.0.73*
>
> c. Enable H.460 Firewall Traversal: *checked*
>
> d. NAT configuration: *OFF*
>
> Fixed ports setting doesn't matter
>
>
>
>
>
> To test, try dialing 1800 on the Polycom. This should connect you to the
> LNV bridge menu.
>
>
>
> Let me know if you continue to have problems, and we'll take it farther
>
>
>
> I know I have more information I will keep digging.
>
> Morgan
>
>
>
>
>
>
>
> Morgan Ecklund
>
> Systems Administrator
>
> State of Vermont Agency of Education
>
> 802 479 1095
>
>
>
> *From:* School Information Technology Discussion [mailto:
> [log in to unmask]] *On Behalf Of *Leslie, Ben
> *Sent:* Wednesday, December 10, 2014 8:53 AM
> *To:* [log in to unmask]
> *Subject:* Re: LNV Connection Issue
>
>
>
> Morgan,
>
>
>
> I tried using the .74 address as the gatekeeper and still got the same
> message, prior to changing it, I saw that port 1719 was entered along with
> the original .73 address, I removed that and still had no luck connecting.
>
>
>
> I'm checking that any H.323 filter / H.323 transformations are disabled in
> our firewall but do you have any other suggestions?
>
>
>   Ben Leslie
>
> Technology Manager, BVSU
>
> P: 802-375-2589 ext. 144
>
> P: 802-375-6409 ext. 217
>
>
>
> On Tue, Dec 9, 2014 at 12:03 PM, Ecklund, Morgan <
> [log in to unmask]> wrote:
>
> 159.105.0.73 it the Pathfinder traversal server and is what you should
> register to.
> You can try to directly register 159.105.0.74 (actual Gatekeeper) see if
> it changes the message.
> Morgan
>
>
>
> -----Original Message-----
> From: School Information Technology Discussion [mailto:
> [log in to unmask]] On Behalf Of Ben Leslie
> Sent: Tuesday, December 9, 2014 11:53 AM
> To: [log in to unmask]
> Subject: Re: LNV Connection Issue
>
> Morgan,
>
> I don't have the LNV system setup right now but based on our old
> documentation the IP address we're using for the gatekeeper is either
> 159.105.0.73 or 159.105.0.70.
>
> Is there a new/updated gatekeeper I should be using?
>
>
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>
> -----------------------------------------------------------------------
>
> Search <http://list.uvm.edu/archives/school-it.html> the SCHOOL-IT Archive
>
> Manage <http://list.uvm.edu/cgi-bin/wa?SUBED1=SCHOOL-IT&A=1> your
> Subscription to SCHOOL-IT
>