Zero config on External Subnet


#1

I’m really looking for a way to allow zero config to work on an external subnet. We used the LAN port and set Network Settings as “Switch” and did everything per instrction. I fully expect that the user of the phone will manually set the configuration URL to HTTPS /zccgi

At this point, I get an empty xml file. I suspect that’s because the user is coming in from an external IP address that is also not whitelisted and UCM zero config. Zero Config on UCM does not allow whitelisting except of internal IP space (like 10.10, 192.168, and 172)… Why is this feature closed off externally and how can we fix it?

Our setup has the UCM at the data center and all offices are thus considered “remote” on a public IP. If we use OpenVPN then we can get our UCM connected to only 1 office and back haul through that which is not ideal.

Help appreciated.


#2

Mike, I have sent a bug request to the GS Help Desk and it might solve the puzzle for you as per below except my issue was noted using DUAL mode but you will see the similarity - using a UCM 6510:

With the UCM 6510 in Dual mode of operation.

If the Lan 1 is used for the LAN network and Lan 2 is used for Internet traffic, Zero Config does not work. What occurs is a sip notify to state that the UCM is on Lan 2 ( in the above case it is the Wan ) so what is used is the wan address for a reply which doesn’t respond because the UCM is expecting answers on the Lan 1 port ( LAN )

Switching the port information makes the zero configuration work

The issue is there is “NO” notes of information in the manual to say that the Wan port must be Lan 1 Ethernet port and the Local area network must be on the Lan 2 port.

Please amend the documentation to reflect the same because pages 60 to 63 of the installation manual do not refer to any issues when using Dual mode and zero config not working.


#3

_RE: “Switching the port information makes the zero configuration work”.

Is that true even on an external subnet?


#4

As an aside, remote provisioning implies another potential security issue as it implies that port 8089 must be open and forwarded by which the remote device can effect the provisioning request. As the same port is used for the web interface, the unintended consequence is that the web GUI is exposed unless you filter at the firewall.


#5

Yes, we only intend on opening up 8089 to the offices we have. Again, this presumes that we can allow the external IPs for provisioning which we still can’t. I wish Grandstream would acknowledge and fix.


#6

If you have your Wan details on Lan1 switch it to Lan 2 - GS recognised the issue in the documentation and are fixing it.


#7

Can you please elaborate? The UCM6510 has a single LAN port.


#8

The UCM has 2 x ethernet nic ports, one marked Lan and the other marked Wan on the casing - however on the software it is marked Lan 1 and Lan 2.

So as i have stated from the software perspective and naming convention, use above and modify your ethernet leads.


#9

Thank you for the clarity. So to confirm:

When on Method “Switch” we only see “LAN” settings.
When on Method “Dual” we see “LAN 1” and LAN 2"
When on Method “Route” we see "WAN’ and “LAN”

So we will switch to “Dual” Mode, connect Ethernet cable for internet connectivity to LAN2 and configure LAN 2 with the external IP addresses.

Nothing will be on LAN1.

If this all makes sense, we’ll send someone to the DC to make the change and confirm.
Thank you for your help!


#10

Hi Mike,

I found a problem by walking into someone elses 6510 install that I have taken over. Someone told them to use Lan 2 for the wan and Lan 1 for the LAN with dual mode. After many days of trying to work out why the UCM would seemingly not zero config on the Lan port went back to basics and switched the ports to re-enable zero config. The documentation doesnt state that there is a problem but there is when this occurs.

In Dual mode you get another option - Default Interface: which also seems to assign which port Zero Config will work using as I found out. The UCM would try and send packets for zero config out on lan 2… which is ordinarily fine except that was the wan port in this case for the setup. So all packets after reaching the handset were being sent back to the external address so zero config failed.

So before you go on your big adventure…Remotely set the UCM as dual mode of operation, set the NIC accordingly to which ever you are using for the external IP and set the “Default Interface” as that external nic from the drop down.

Hopefully this does definitely resolve your zero config issues as well.