Known Issues:

  1. Watchguard advised that because Intermedia's SIP packets travel through port 6060 or 6061 for Secure SIP, the firewall intermittently interferes with the phone/fax traffic, since it expects SIP packets to use port 5060. 
    • This causes many feature and registration failures.
    • Creating the Outbound Phone Policy below is the easiest workaround to prevent phone/fax issues.
    • However, the good news is that SIP ALG is disabled by default, which prevents many phone issues.

Resolution:

  1. Setup DHCP IP Reservations for each phone or fax device:
    • Login to the firewall.
    • Go to Network > Trusted > Settings tab.
    • Write down what it says in the IP Address box.
      • This is the IP of the firewall. 
      • You will need this later.
    • These steps are only needed if you have or plan to purchase Polycom phones.
      • DNS Server Address: "8.8.8.8".
      • Secondary DNS Server Address: "8.8.4.4".
    • Click Save at the bottom of the page.
    • Scroll back up the top the page. 
    • Click on DHCP Reservations...
    • Where it says IP Address, enter in the IP adress that you want the first phone/fax-device to use.
      • Make sure it's an IP that isn't already being used by another device.
    • Next enter the phone's MAC Address in the next box and click Add.
    • Repeatuntil all phones/devices are added.
      • Set the phones to use a specific IP range.
      • Example: 192.168.1.200 to 192.168.1.220.
    • Critical:Make sure to add each Intermedia device, which can include any of the following if you have them:
      • Cisco/Linksys fax adapters,
      • Polycom phones,
      • Vertical phones,
      • RTX cordless transmitter,
      • Cisco cordless bases/transmiters,
      • Vertical Xcelerator base units,
      • & Tecom wireless transmitters.
        • Add only the WAN-interface MAC address that your local network computers can see, not the LAN-side MAC address that shows on your Voice Admin Portal account.
    • Click Submit when done.

  2. Create the Outbound Phone Policy:
    • Click on the Outgoing tab.
    • Where it says Outgoing Filter, set it to Allow.
    • Below the From box, click on the drop-down box and select Host Range.
    • In the Start box, enter the first IP address of the first phone you added in step 3.
    • Then in the End box, enter the last IP address of the last phone.
    • Click Add.
    • Below the To box, click on the drop-down box and select Host Range
      • If you don't have this option, leave the To box set to Any.
        • Start: 64.28.113.10
        • End: 64.28.116.255
    • Click Add.
    • Click on the Properties tab.
    • Under the Protocol Settings box, there is a drop-down box that says TCP or UDP Port.
    • Set this drop-down box to TCP Port.
      • In the first box to the right, enter 1
      • Then in the second box, enter 65535
    • Click Add.
    • Then set the drop-down box to UDP Port.
      • In the first box to the right, enter 1
      • Then in the second box, enter 65535
      • Click Add.
    • Verify the settings match the screenshot in the example.
    • Click Submit to save.
  3. This step is needed for call and fax troubleshooting and monitoring purposes.
    • On the left-hand side of the page, click on Firewall -> Incoming.
    • Where it says Policy Name, type VOICE WAN Ping Monitoring 1.
    • Leave Policy Type set to Packet Filter.  Set theProtocol set to Ping.
    • Where it says Incoming Filter, set it to Allow.
    • In the Policy Host field, enter the IP address of the Watchguard firewall from step 1.
    • Where it says Host IP Address, change that drop-down to Host IPv4
    • Enter: 64.28.122.110
    • Click Submitto save.
    • Repeat the above steps, but change name to VOICE WAN Ping Monitoring 2 and IP address to 64.28.121.110
      • If the steps above do not cause the Firebox to respond to Intermedia WAN Ping Servers (64.28.122.110 and 64.28.121.110), below is an alternate method.  However, it is less secure:
        • On the left-hand side of the page under Firewall, click on Firewall Options.
        • Uncheck the box that says Do not respond to PING requests received on External Network
        • Click Submit to save.

Additional Resources:

  1. Recommended Routers.
  2. Recommended Switches.
  3. Recommended LAN Configurations.
  4. Network Ports and Protocols for HPBX phones.