Known Issues

  1. Watchguard advised that because Intermedia SIP packets travel through port 6060 or 6061 for Secure SIP, the firewall interferes with the phone traffic, since it expects SIP packets to use port 5060. This causes many feature and phone registration failures.
  2. Watchguard Technical Support confirmed the solution below resolves this problem because it prevents the Watchguard from blocking the phones' Keep-Alive/NAT-Binding packets that are sent every 15 seconds.

Resolution

  1. Choose phone network setup
    • Your IT needs to setup the network as shown in the image below.  It's the easiest method to setup and manage.
      • The XTM series has Ethernet ports label 0, 1, 2, 3, 4, and higher, depending on the model.
      • 0 is used as the WAN port by default.
      • 1 - 4 and above are LAN ports by default.
      • Each LAN port can be configured to be a unique subnet.
    • The Recommended Setup below uses this feature to separate the phones from the computers.

    • If it's not physically possible to setup the network as shown above, use the Alternate Setup shown below.
    • The Alternate Setup requires setting up DHCP IP reservations for each Intermedia Voice Device.
      • Voice Devices include phones, fax adapters, cordless transmitters, wireless transmitters, and other devices.
    • Consult your IT for more information on how to setup reservations.

  2. Setup phone network interface
    • Login to the firewall.
      • The XTM-series firewalls do have a web UI. 
      • For security purposes, some ITs choose to disable the web UI or only allow access to it from specific computers so you may not be able to login. 
      • If this is the case, email the instructions below for their IT to make the changes.
      • Otherwise the IT will need to call Intermedia Cloud Voice Technical Support.
    • Click on Network on the left-hand side of the page > Interfaces.  
    • Select the Interface that the phones will be using.
      • In the example below, it's Interface 2 with the Name (Alias) of VOIP and IPv4 Address of 10.10.0.1/24
    • Click Edit > confirm the Interface Type is set to Trusted.
    • Right below where it says IPv4 > confirm the drop down box is to DHCP Server.
    • The following steps are only needed if you have or plan to purchase Polycom phones:
      • Click on DNS/WINS in the middle of the page.
      • Where it says DNS Server > enter in the DNS server address below one-at-a-time > click Add:
        • 8.8.8.8
        • 8.8.4.4
        • Click Save at the bottom of the page.
  3. Create the Outbound Phone Policy
    • On the left-hand side of the page, click on Firewall > Firewall Policies > click Add Policy
    • Where it says Select a policy type > click on the drop-down box > select TCP-UDP.
      • This allows all traffic through all TCP & UDP ports to just the phones.
    • Rename the policy SIP Outgoing > scroll down to the bottom of the page > click Save. 
    • On the next page > to the right of where it says Name > ensure the Enable box is checked.
    • Where it says Connection are > confirm it's set to Allowed.
    • Under the From field box > select Any-Trusted > click Remove.
    • Under the To field box > select Any-External > click Remove.
    • Under the From field box > click Add > a dialogbox will open > choose option A or B below:
      1. If you're using the Recommended Setup as shown in step 1 > set the Member type to Alias.
        • In the box below Alias > select the name of the interface from Step 2 that the phones are using > click OK.
        • In the example from step 2, the example Alias was named VOIP.
      2. If you're using the Alternate Setup as shown in step 1 > change the Member type to Host Range IPv4.
        • Example:
          • The DHCP IP reservations for a customer's phones were 172.16.0.60, 172.16.0.61, & 172.16.0.62.
          • Therefore the IPv4 range you'd need to enter is: 172.16.0.60 - 172.16.0.63
        • Under the To field box > click Add > a dial box will open.
        • Change the Member type to Host Range IPv4 > enter the following & then click OK:
          • For Hosted PBX 2.0:
            • From:    64.28.112.0
            • To:         64.28.127.255
          • For Hosted PBX 1.0:
            • From: 206.225.167.64
            • To: 206.225.167.127
            • From: 199.193.202.64
            • To: 199.193.202.95
            • From: 206.225.166.128
            • To: 206.225.166.143
        • Leave Enable Intrusion Prevention checked.  Scroll down to the bottom of the page & click Save. 
        • The final result should look like the screenshot below.
  4. This step is needed for call and fax quality monitoring and troubleshooting purposes:
    • On the left-hand side of the page, click on Firewall > Firewall Policies > click Add Policy
    • Where it says Select a policy type, select Packet Filter and click on the drop-down box and select Ping.
    • Rename the policy Intermedia Cloud Voice Ping Monitor.  Scroll down to the bottom of the page & click Add Policy. 
    • On the next page, to the right of where it says Name, ensure the Enable box is checked.
    • Where it says Connection are, confirm it's set to Allowed.
    • Under the From field box, select Any-Trusted and click Remove.
    • Under the To field box, select Any-External and click Remove.
    • Under the From field box, click Add.  A dialog box will open.
    • Change the Member type to Host IPv4.   Enter 64.28.122.100 & then click OK.
    • Under the To field box, click Add again.  Set the Member type to Alias.  Select Firebox.  Click OK.
  5. Allow Traffic Between Phone & Computer Subnets:
    • The steps in this section are only needed if you used the Recommended Setup. 
    • Skip this section if you used the Alternate Setup.
      • On the left-hand side of the page, click on Firewall > Firewall Policies > click Add Policy.
      • Under Policy Name > name it Browser to VoIP.
      • Where it says Select a policy type > select Packet Filter > set the drop-down box to the right to Any > click Add Policy.
      • On the next page > to the right where it says Name > ensure the Enable box is checked.
      • Where it says Connection are > confirm it's set to Allowed.
      • Under the From field box > select Any-Trusted > click Remove.
      • Under the To field box > select Any-External > click Remove.
        • Under the From field box > click Add > a dialog box will open:
        • With the Member type set to Alias > select Trusted > click OK. 
        • Under the From field box > click Add again. 
        • With the Member type set to Alias > select the Alias you created in Step 2 > Click OK.
          • In the example, it was named VOIP.
        • Under the To field box > click Add > a dialog box will open.
        • With the Member type set to Alias > select Trusted > click OK.
      • Under the To field box > click Add again > with the Member type set to Alias > select the Alias you created in Step 2 > Click OK.
      • Leave Enable Intrusion Prevention checked.
      • Scroll down to the bottom of the page > click Save.