Known Issues

  1. Watchguard advised that because Intermedia SIP packets could travel through port 6060 or 6061 for Secure SIP (on HPBX 2.0 platform), the firewall interferes with the phone traffic, since it expects SIP packets to use port 5060. This causes many feature and phone registration failures. 
  2. Watchguard Technical Support confirmed the solution below resolves this problem because it prevents the Watchguard from blocking the phones' Keep-Alive/NAT-Binding packets that are sent every 15 seconds.

Resolution

Choose phone network setup:

    • Your IT needs to connect your devices to one of the Ethernet ports on the Watchguard firewall (e.g. via an unmanaged switch) and note the Interface IP address for further firewall rule configuration. 
    • The Alternate Setup requires setting up DHCP IP reservations for each Intermedia Voice Device. Voice Devices include phones, fax adapters, cordless transmitters, wireless transmitters, and other devices. Consult your IT for more information on how to set up reservations.
      Note:
      this is not recommended as if you introduce any changes to the network configuration, the phones' setup in the Web UI will have to be updated manually.
  1. Setting up the phone network interface:
     
    • Log in to the XTM-series Web UI. 
      Note: for security purposes, some ITs choose to disable the Web UI or only allow access to it from specific computers so you may not be able to log in. If this is the case, email the instructions below for their IT to make the changes. Otherwise, the IT will need to call Intermedia Voice Technical Support.
    • Click on DNS/WINS in the middle of the page. Under DNS Server, enter in the DNS server address below one-at-a-time and click Add:
      • 8.8.8.8
      • 8.8.4.4
      • Click Save at the bottom of the page.
    • Click on Network on the left-hand side of the page > Interfaces.  
    • Select the Interface that the phones will be using.
    • Click Configure and confirm the Interface Type is set to Trusted.
    • Right below where it says IPv4, confirm the drop-down box is to DHCP Server.
    • The following steps are only needed if you have or plan to purchase Polycom phones or have registration failures with other devices.
  2. Creating the Outbound Phone Policy:
     
    • This allows all traffic through all TCP & UDP ports to just the phones.
    • On the left-hand side of the page, click on Firewall > Firewall Policies > Add Policy.
    • Where it says Select a policy type, click on the drop-down box and select TCP-UDP.
    • Rename the policy to SIP Outgoing and scroll down to the bottom of the page to click Save
    • On the next page, to the right of where it says SIP Outgoing, ensure the Enable box is checked.
    • Where it says Connection are, confirm it's set to Allowed.
    • Under the From field box, select Any-Trusted and click Remove. Click Add, a dialog box will open, choose one of the options below:
      - If you're using the Recommended Setup, then set the Member type to Alias. In the box below Alias, select the name of the interface that the phones are using and click OK.
      - If you're using the Alternate Setup, then change the Member type to Host Range IPv4 and enter the range for DHCP IP reservations you have set for the devices.
    • Under the To field box, select Any-External and click Remove. Click Add, a dial box will open. Change the Member type to Host Range IPv4 and enter the IP address range provided by Intermedia to be whitelisted, then click OK.
    • Leave Enable Intrusion Prevention checked. 
    • Scroll down to the bottom of the page & click Save.
    1. This step is needed for call and fax quality monitoring and troubleshooting purposes:
      • On the left-hand side of the page, click on Firewall > Firewall Policies > Add Policy.
      • Select Packet Filter as policy type and click on the drop-down box and select Ping.
      • Rename the policy to Intermedia Voice Ping Monitor.  Scroll down to the bottom of the page & click Add Policy
      • On the next page, to the right of where it says Intermedia Voice Ping Monitor, ensure the Enable box is checked.
      • Where it says Connection are, confirm it's set to Allowed.
      • Under the From field box, select Any-Trusted and click Remove. Click Add, a dialog box will open, change the Member type to Host Range IPv4 and enter WAN Ping Test Server IP provided by Intermedia and then click OK.
      • Under the To field box, select Any-External and click Remove. Click Add again, set the Member type to Alias, select Firebox.  Click OK.
    2. Allow Traffic Between Phone & Computer Subnets (skip this section if you used the Alternate Setup):
      • On the left-hand side of the page, click on Firewall > Firewall Policies > Add Policy.
      • Under Policy Name, name it Browser to VoIP.
      • Select Packet Filter policy type and set the drop-down box to the right to Any and click Add Policy.
      • On the next page to the right where it says Browser to VoIP, ensure the Enable box is checked.
      • Where it says Connection are, confirm it's set to Allowed.
      • Under the From field box, select Any-Trusted and click Remove. Click Add, a dialog box will open: with the Member type set to Alias, select Trusted and click OK. Click Add again: with the Member type set to Alias, select the Alias you have previously created and click OK.
      • Under the To field box, select Any-External and click Remove. Click Add, then a dialog box will open: with the Member type set to Alias select Trusted click OK. Click Add again: with the Member type set to Alias, then select the Alias you previously created, then click OK.
      • Leave Enable Intrusion Prevention checked.
      • Scroll down to the bottom of the page and click Save.