Ports

suggestion

#1

Hello guys
My SIP Provider wants me to have STATIC IP for my internet and also wants to use port 5060 and only allow traffic for 5060 meant from their SIP SIGNAL IPs and SIP MEDIA IPs and deny from anywhere else for security and to prevent the phantom ring,So now in this situation i m using the TLS on GS Wave app on all of my smartphones and they work fine but i do have a GXV3275 Grandstream phone and i need to make it work with TLS,any idea where i change the port for TLS and make it 5061 cause thats the TLS port on UCM6202 by deafult.
Please suggest if i can use UDP instead for my end points or it it for everything like including the SIP TRUNKS AND END POINTS.Can i use UDP for endpoints or no ?


#2

Yes, UDP works for endpoints.

If your phones are local, stay with the default (UDP 5060).

By the way, to use TCP or TLS, you need to enable them in SIP Settings on the UCM.


#3

can someone shine more light PLEASE …i have a UCM6202 with SIP TRUNKS from my provider and my provider wants to only forward port 5060 from his IPs and not from anyone else because of security reason and to prevent phantom ringing.
So now the problem is that i have some remote phones like GXp2135 and GX3275 that needs to connect back to the office from remote locations and i was thinking to use TLS port 5061 and that trick worked for my smartphones with GS Wave and they are working remotly from all smart phones but i m not able to make the actuall grandstream phones with TLS port 5061 …is this the only way to do so …??? since i m reserving the port 5060 UDP for only my provider to come on from outside world and deny everyone else on the router.
and i m accepting tcp/udp 5061 port from anywhere and it is forwarded to my UCM6202 Internal ip.
i know i can setup vpn but that would have been ideal if i only have a few locations but my remote phones are going to be all over the map.


#4

If you route all your phones via the office UCM, then all calls to your provider will come from your designated IP. I do not understand why you cannot allow remote phones onto your system from any port you wish.

Have you considered moving to another ITSP?

I quesiton your VoIP provider’s logic. IMHO:

  • If the ITSP wants to restrict access then he should do it via a static IP or DDNS FQDN, not port level.

  • Phantom ringing can be solved at the phone level by turning on the requisite SIP security option. This is a red herring.

That being said I only allow remote phones to connect to my {client’s} system via a VPN or from a known static IP. Otherwise I personally find the risk of being remotely hacked unacceptable.


#5

sip%20provider%20ports

please see attached pic …In the pic i m hiding my SIP TRUNK PROVIDERS NAME AND IPs…so basically they want me to only open ports 5060 and so on from their IPs and deny from everywhere else…now my problem is that if i only allow UDP 5060 traffic from there IPs than how can i hook up my remote phones…??PLEASE HELP
like i said before i do have GS WAVE app working from smartphones from remote locations very well through TLS protocols but my problem is that i don’t know how to enable TLS on GXP2135 and GXV3275 phone from remote location …Thanks in advance guys…


#6

With Panasonic PBXs like for KXNS700 and KXNS1000 you can have different port for your SIP TRUNKS and different port for end points …So its very easy to change and play with ports…now that being said on UCM6202 i only see port 5060 UDP and port 5061 TLS so if i reserve port 5060 UDP for my SIP TRUNK PROVIDER than i m only left with port 5061 which is TLS …can i have different port for end points but UDP…???


#7

They’re asking you to forward from all their IPs but it doesn’t look like they’re saying only those IP’s.

However, opening all those ports for RTP seems wasteful.

I’ll hook you up with a Canadian provider (looks like your in Canada, as an I) and walk you through the settings if you like.

Send me a message and we’ll setup a call.


#8

It is recommended in their document, not mandatory. In essence a suggestion, but possibly not one that can be followed if the client has remote activity. If it can be followed, then it is a good idea. If the remote phones have a static public IP, then you could always add them into the firewall exceptions just as the ITSP is asking you to do for their service.

If you want to set TLS in the phones, then look at the account, sip settings and transport.


#9

also on UCM you can change the SIP port for recording remote extensions.
Let me ask you a question, can I ask you in PM something about Panasonic NS?


#10

yes sure


#11

I wrote you in PM


#12

Hello
Could you please let me know when can we do this …?Can we setup sometimes on Saturday this weekend…?
Tommorow Friday i m working all day and probably can send you a msg if finish early for the day.
I m based out of Toronto.Thnx