Recommendation Information

Price: ~$220 and above

  • These firewalls have a new Bandwidth Management system that was implemented in firmware v5.8.1.0 and above that allows you to reserve the exact amount of bandwidth the Intermedia devices need.   However, unfortunately it has known software bugs and isn't very effective compared to the ZyWall USG-series.  SonicWall is actively working to resolve the problems so the BWM should improve.

  • They are considerably more expensive than the recommended ZyXEL ZyWall USG-series firewalls, but Intermedia we have a long track-record of success with SonicWalls.

Known Issues

  1. If these firewalls are not configured, they intermittently interfere with phone registration, causing call and feature failures.  SIP Transformations, which is the same as SIP ALG, may be enabled and will cause call failures and one-way audio problems unless it's disabled.

  2. Running an early release firmware is known to cause unusual call quality problems and phone feature failures, so make sure to run only the latest stable firmware release.

  3. Security Note:We are adding rules that only allows traffic to/from your Intermedia phones and the Intermedia Voice servers. Your computers remain fully protected. The firewall rules below only apply to the Intermedia phones.

The models that typically have this new interface include the following:

  • TZ 105 series, TZ 205 series, TZ 215 series.

  • NSA 220 series, 250M series, 2400, 2600, 3600, 4600, 5600, 6600.

Confirm and/or set the following settings.  Depending on the firmware version and model of your SonicWall, the instructions may vary slightly.

Resolution

The instructions below only apply to New SonicWalls with the White/Blue Interface, which is also known as SonicOS Enhanced.

  1. Go to System > Status > Write down the Firmware Version number > Verify your firmware is not unstable:

    • Stable firmware:

      • These versions we have confirmed do not cause issues on many customer's sites:

        • 5.8.1.15-51o.

        • 5.8.1.14-48o.

        • 5.8.1.6-3o.

    • Firmware we are testing:

      • 5.8.1.2-6o:

        • May cause errors adding Service Objects with Network subnets.  See the end of step 6 for details.

      • 5.9.0.6-3o.

      • Other 5.9.0.x versions - excluding 5.9.0.4-127o.

      • Please contact us if you have a SonicWall with a 5.9.x.x firmware version so we can run QoS tests to verify if the firmware is stable or not.

    • Unstable firmware:

      • These firmware versions cause strange call/fax quality issues:

        • 5.9.0.4-127o.

        • Many 5.8.x.x Early Release versions.

        • Many 5.9.x.x Early Release versions.

        • Many firmware versions older than 5.8.14-48o.

    • If you are not sure:

      • Go to www.mysonicwall.com and login to your SonicWall account to verify whether you have a General or Early Release Firmware.

  2. Go to VoIP > Settings:

    • Enable consistent NAT: Uncheck.

    • Enable SIP Transformations: Uncheck.

    • Click Apply.

  3. Go to Security Services > Content Filter:

    • If you subscribed to the Content Filter feature, then scroll down to CFS Policy per IP Address Range > Add > Set the following:

      • IP Address From: 64.28.112.0.

      • IP Address To: 64.28.127.255.

      • CFS Policy: Default.

      • Comment: To allow devices to access the Intermedia Voice WAN IP range.

    • Click Apply.

  4. Critical: Do the following steps to remove old firewall rules that can conflict with the new rules.

    • Go to Firewall > Access Rules > Matrix (top-left):

      • Select the Arrow that intersects with LAN to LAN.

      • Disable or delete any rules that say VoIP, or Voice under Destination or Service.

    • Click on Matrix (top-left):

      • Select the Arrow that intersects with LAN to WAN.

      • Disable or delete any rules that say VoIP, or Voice under Destination or Service.

    • Click on Matrix (top-left):

      • Select the Arrow that intersects with WAN to LAN.

      • Disable or delete any rules that say VoIP, or Voice under Destination or Service.

    • Click on Matrix (top-left):

      • Select the Arrow that intersects with WAN to WAN.

      • Disable or delete any rules that say VoIP, or Voice under Destination or Service.

  1. Go to Firewall > Service Objects:

    • Scroll down to the Service Objects section > Add > Do the following:

      • For Hosted PBX 2.0:
        • Name: “Cloud Voice RTP Audio Range”.

          • Protocol: UDP(17).

          • Port Range: 30000 – 50000.

          • Click Add.

        • Name: “Cloud Voice SIP Destination Port”.

          • Protocol: UDP(17).

          • Port Range: 6060 – 6061.

          • Click Add.

        • Name: “Cloud Voice SIP Local Ports”.

          • Protocol: UDP(17).

          • Port Range: 6100 – 6899.

          • Click Add.

        • Name: “Cloud Voice VoIP Test SIP Range”.

          • Protocol: UDP(17).

          • Port Range: 5678 – 6677.

          • Click Add.

        • Name: “Cloud Voice VoIP Test RTP Range”.

          • Protocol: UDP(17).

          • Port Range: 50000 – 60000.

          • Click Add.

      • For Hosted PBX 1.0:
        • Name: “Cloud Voice RTP Audio Range”.

          • Protocol: UDP(17).

          • Port Range: 35000 – 65000.

          • Click Add.

        • Name: “Cloud Voice SIP TCP”.

          • Protocol: TCP(6).

          • Port Range: 5060 – 6061.

          • Click Add.

        • Name: “Cloud Voice SIP UDP”.

          • Protocol: UDP(17).

          • Port Range: 5060 – 5061.

          • Click Add.

  2. Scroll up to Service Groups > Add > Do the following:

    • Name: “Cloud Voice Service Ports”.

    • In the left-hand box, highlight the Service Objects you created.

    • Click the "->" button to move those Objects to the right.

    • Click OK.

  3. Go to Network > Address Objects:

    • Scroll down to Address Objects > Add > Do the following:

    • For Hosted PBX 2.0:
      • Name: “Cloud Voice RTP Server Block1”.

        • Zone Assignment: WAN.

        • Type: Network.

        • Network: 64.28.114.0.


          For accounts created after 5/6/15 use 64.28.124.0.
        • Netmask: 255.255.255.0.

        • Click Add.

      • Name: “Cloud Voice RTP Server Block2”.

        • Zone Assignment: WAN.

        • Type: Network.

        • Network: 64.28.116.0.


          For accounts created after 5/6/15 use 64.28.123.0.
        • Netmask: 255.255.255.0.

        • Click Add.

      • Name: “Cloud Voice SIP Register Server”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.113.10.


          For accounts created after 5/6/15 use 64.28.119.10
        • Click Add.

      • Name: “Cloud Voice Phone Config Server1”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.115.146.

        • Click Add.

      • Name: “Cloud Voice Phone Config Server2”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.112.148.

        • Click Add.

      • Name: “Cloud Voice DNS/Time Server1”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.112.157.

        • Click Add.

      • Name: “Cloud Voice DNS/Time Server2”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.115.137.

        • Click Add.

      • Name: “Cloud Voice DNS/Time Server3”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.126.9.

        • Click Add.

      • Name: “Cloud Voice SVDNS Server”. - This entry is only required if you have the old DPS-V Vertical phone system.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.126.29.

        • Click Add.

      • Name: “Cloud Voice PTS Server”. - This entry is only required if you have Vertical desk phones or RTX cordless phones.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.115.150.

        • Click Add.

      • Name: “Cloud Voice Ping Test Server”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.122.100.

        • Click Add.

      • Name: "Cloud Voice VoIP Test Server1".

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.122.103.

        • Click Add.

      • Name: "Cloud Voice VoIP Test Server2".
        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.122.102.

        • Click Add.

      • Name: "Cloud Voice VoIP Test Server3".
        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.121.101.

        • Click Add.

    • For Hosted PBX 1.0:
      • Name: “Cloud Voice RTP Server Block1”.

        • Zone Assignment: WAN.

        • Type: Network.

        • Network: 206.225.167.64

        • Netmask: 255.255.255.192

        • Click Add.

      • Name: “Cloud Voice RTP Server Block2”.

        • Zone Assignment: WAN.

        • Type: Network.

        • Network: 199.193.202.64

        • Netmask: 255.255.255.224

        • Click Add.

      • Name: “Cloud Voice SIP Register Server”.

        • Zone Assignment: WAN.

        • Type: Network.

        • Network: 206.225.166.128

        • Netmask: 255.255.255.240
        • Click Add.

      • Name: “Cloud Voice Ping Test Server”.

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.122.100.

        • Click Add.

      • Name: "Cloud Voice VoIP Test Server".

        • Zone Assignment: WAN.

        • Type: Host.

        • IP Address: 64.28.122.103.

        • Click Add.

    • Scroll up to Address Groups > Add > Do the following:

      • Name: "Cloud Voice Servers".

      • In the left-hand box, highlight the Address Objects you created above.

      • Click the "->" button to move those Objects to the right.

      • Click OK.

        • You may get an error saying that that Cloud Voice RTP Server Block1 & 2 do not exist.

        • This is either due to the SonicWall login timing out as you were adding the Service objects.

        • Or it may be due to a bug affecting SonicWall firmware 5.8.1.2-6o.

        • Just delete the 2 affected Service Objects, re-create them, and then add them to the Service Group.

  4. Go to Firewall > Access Rules > Add:

    • General Tab:

      • Action: Allow.

      • From Zone: LAN.

      • To Zone: WAN.

      • Source Port: Any.

        • It is OK if you don't see this option. It only exists in the latest SonicWall firmware versions.

      • Service: Cloud Voice Service Ports.

      • Source: LAN Subnets.

      • Destination: Cloud Voice Servers.

      • Users Allowed: All.

      • Users Excluded: None.

        • It is OK if you don't see this option. It only exists in the latest SonicWall firmware versions.

      • Schedule: Always On.

      • Comment: Allow Cloud Voice VoIP Devices.

      • Allow Fragmented Packets: Uncheck.

      • The following boxes are optional but useful. Depending on the model of your SonicWall, you may not have one or more of the options below:

        • Enable Logging: Check.

        • Enable flow reporting: Check.

        • Enable packet monitor: Check.

        • Enable Geo-IP Filter: Check.

        • Enable Botnet Filter: Check.

        • Enable Management: Uncheck.

    • Click on the QoS tab:

      • DSCP Marking Action: Preserve.

      • 802.1p Marking Action: None.

    • Click on the Advanced tab:

      • TCP Connection Inactivity Timeout (minutes): 15.

      • UDP Connection Inactivity Timeout (seconds): 300.

      • Number of connections allowed (% of maximum connections): 100.

      • Enable connection limit for each Source IP Address: Uncheck.

      • Enable connection limit for each Destination IP Address: Uncheck.

      • Create a reflexive rule: Check.

      • This will automatically create the WAN to LAN rule for you.

        • If you do not have the 'Create a reflexive rule' option, you will need to create the Reflective rule manually by doing the following:

  5. This step is needed to allow the SonicWall to respond to our Call Quality Monitoring and Troubleshooting Server, 64.28.122.100:

    • Go to Network > Interfaces:

      • Find the WAN interface, and click the pencil icon all the way to the right to edit it's configuration.

        • Click the Ping checkbox.

        • Click OK.

      • The following steps cause the SonicWall to only respond to WAN pings from Intermedia Voice Ping Server for maximum security.

        • If you want the SonicWall to respond to other devices on the WAN, you will need to customize the rule below on your own or contact SonicWall for help.

      • Go to Firewall > Access Rules > Matrix (top-left).

        • Click on the arrow that intersects with WAN to WAN.

        • Find the WAN interface rule that shows Ping under the Service column.

        • Click the Edit icon to the right of the rule.

          • Change the Source to "Cloud Voice Ping Test Server".

          • Click OK.

  6. This step is needed for reserve the bandwidth the phones & fax devices need to ensure excellent call & fax quality.

    • Warning: This process can cause your computers and phones to lose internet connection for a few minutes or much longer if an unexpected issues arises.

      • Make sure only to make these changes when when you can risk losing internet connectivity.

    • Go to Firewall Settings > BWM (Bandwidth Management):

      • If you do not have a BWM option:

        • Then you or your IT will need to upgrade the SonicWall to the latest stable General Release firmware version.

        • Call SonicWall if you need help upgrading the firmware.

        • If you still do not have this option, your SonicWall is too old and does not support full-BWM.  Results may vary.  Skip to step "A" below.

    • There are many ways to setup BWM.

      • Below is our general method that is used to encompass most customers' sites.

      • If BWM was already setup by your IT, then consult with your IT before making any of the changes below.

      • Use only the Easy Method or Advanced Method below:

        • Easy Method:

          • Bandwidth Management Type: Global.

          • Set the Priority Levels to match the table below:

          • 0 Realtime.

            Enable: Checked.

            Guaranteed: 30%.

            Maximum/Burst: 100%.

            1 Highest.

            Unchecked.

            Guaranteed: 0%.

            Maximum/Burst: 0%.

            2 High.

            Unchecked.

            Guaranteed: 0%.

            Maximum/Burst: 0%.

            3 Medium High.

            Unchecked.

            Guaranteed: 0%.

            Maximum/Burst: 0%.

            4 Medium.

            Enable: Checked.

            Guaranteed: 70%.

            Maximum/Burst: 70%.

            5 Medium Low.

            Unchecked.

            Guaranteed: 0%.

            Maximum/Burst: 0%.

            6 Low.

            Unchecked.

            Guaranteed: 0%.

            Maximum/Burst: 0%.

            7 Lowest.

            Unchecked.

            Guaranteed: 0%.

            Maximum/Burst: 0%.

             

          • Total: Should auto set to 100.

            • If the total is higher than 100, something is wrong.

            • Double-check your changes to confirm they were entered correctly.

            • Click Accept.

          1. This step is required to allow the SonicWall to guarantee that the phones and faxes get the bandwidth they need to/from the WAN interface to the ISP & LAN.

            • Go to Network > Interfaces:

              • Find the WAN interface the phone equipment is behind.

              • Click the pencil icon all the way to the right to edit it's configuration.

              • Click on the Advanced Tab > Bandwidth Management:

                • Enable Egress Bandwidth Management: Check.

                  • Available Interface Egress Bandwidth (Kbps):

                    • Enter in only 80-95% of your the Upload bandwidth you pay for.

                    • If you do not know what it is, take the average of 3 Upload results at speedtest.net.

                • Enable Ingress Bandwidth Management: Check.

                  • Available Interface Ingress Bandwidth (Kbps):

                    • Enter in only 80-95% of your the Download bandwidth you pay for.

                    • If you do not know what it is, take the average of 3 Download results at speedtest.net.

                  • Click OK.

          • This step is required to allow the SonicWall to guarantee that the phones and faxes get the bandwidth they need in the LAN-to-WAN bridge:

            • Go to Ne twork > Interfaces:

              • Find the LAN interface the phone equipment is behind.

              • Click the pencil icon all the way to the right to edit it's configuration.

              • Click on the Advanced Tab > Bandwidth Management:

                • Enable Egress Bandwidth Management: Check.

                  • Available Interface Egress Bandwidth (Kbps):

                    • Enter in only 80-95% of your the Download bandwidth you pay for.

                    • If you do not know what it is, take the average of 3 Download results at speedtest.net.

                • Enable Ingress Bandwidth Management: Check.

                  • Available Interface Ingress Bandwidth (Kbps):

                    • Enter in only 80-95% of your the Upload bandwidth you pay for.

                    • If you do not know what it is, take the average of 3 Upload results at speedtest.net.

                  • Click OK.

          • Go to Firewall > Access Rules > Matrix (top-left):

            • Select the Arrow that intersects with LAN to WAN.

            • Find the rule that shows Cloud Voice Servers and Cloud Voice Service Ports.

            • Click the Edit Pencil icon to the right of the rule.

          • Ethernet BWM tab:

            • Enable Egress Bandwidth Management ('allow' rules only):

              • Bandwidth Priority: 0 Realtime.

            • Enable Ingress Bandwidth Management ('allow' rules only):

              • Bandwidth Priority: 0 Realtime.

            • Click OK.

          • Click on Matrix (top-left):

            • Select the Arrow that intersects with WAN to LAN.

            • Find the rule that shows Cloud Voice Servers and Cloud Voice Service Ports.

            • Click the Edit Pencil icon to the right of the rule.

              • Ethernet BWM tab:

                • Enable Egress Bandwidth Management ('allow' rules only):

                  • Bandwidth Priority: 0 Realtime.

                • Enable Ingress Bandwidth Management ('allow' rules only):

                  • Bandwidth Priority: 0 Realtime.

                • Click OK. 

        • Advanced Method:

           

  7. The following step is needed if you have or plan to purchase Polycom phones:

    • Warning: These changes will take your computers, phones, and all other devices online for 10 minutes or much longer if an unexpected problem arises.

    • Make sure to only make the changes below when you can afford to take your network offline.

      • Go to Network > DHCP Server:

        • Where it says DHCP Server Settings, determine if the Enable DHCP Server is checked or not:

          • If the 'Enable DHCP Server' option is not checked:

            • Then that means you have your primary DHCP server running on a separate device, like a Windows Server.

            • This means you will need to change the DHCP DNS servers on that standalone DHCP server.

            • The DHCP DNS needs to be set to 8.8.8.8/8.8.4.4 or create Stub Zones that forward Polycom DNS requests directly to our DNS servers.

            • If you have a Windows Server, click here for instructions.

          • If the 'Enable DHCP Server' option is checked:

            • Go to DHCP Server Lease Scopes:

              • Where it says View Style, select “All”.

                • There should be at least 1 Dynamic Scope listed.

                • If there is more than 1 Dynamic Scope, find the one the phones are using.

              • Go to the right of the Dynamic Scope the phones are using.

                • Confirm the 'Enable' box is checked.

                  • If the 'Enable' box is checked:

                  • If the 'Enable' box is not checked: