Cytracom UCaaS: Setting up a SonicWALL firewall

 

Topic

This article discusses how to set up a SonicWAlll firewall for use with Cytracom UCaaS

Environment

  • Cytracom UCaaS

Description

Follow these steps in order to ensure correct configuration. 

Refer to our Firewall Best Practices guide for the latest IP address ranges and services.

Index

  1. Before you begin
  2. Set up bandwidth management
  3. Increase system UDP timeout
  4. Configure address objects and the Cytracom address group
  5. Configure the bandwidth object

  6. Configure the outgoing traffic rule
  7. Disable SIP ALG
  8. Disable SIP URIs to have an explicit port

Before you begin

We highly recommended that all phone configurations running on a network with a SonicWALL device using firmware of 6.3.X or higher only use port 5060.

Using port 5062 will cause packet loss due to unmodifiable traffic shaping for packets originating on that port. The firewall will not know how to respond to these packets and will drop them instead of forwarding. This does not include NAT Traversal.

Connecting the SonicWALL firewall

To connect the SonicWALL firewall to the network:

  • Ensure the modem or other ISP-provided equipment is in bridge mode
  • If the IP address is static, you must load this information into the SonicWall.
  • Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or a switch connected to the router.
  • In most cases, the router can be accessed locally at 192.168.0.1 or 192.168.1.1.

Procedure

Set up bandwidth management

Setting up bandwidth management for the phones is good practice, especially if they share the network with other devices. As an on-demand service, VoIP depends on a stable connection to perform consistently, despite most devices relying on local caching methods which mask ISP network inconsistencies.

1. In the SonicWALL UI, click Firewall Settings in the left-hand Navigation menu, then select Bandwidth Management

2. Ensure the Bandwidth Management Type is set to Advanced.

When finished, click Save

UCaaS_AddSonicwall_BandwidthManagement.png

Figure 1: Bandwidth Management (click to enlarge)

Increase system UDP timeout

1. In the SonicWALL UI, click Firewall Settings in the left-hand Navigation menu, then select Flood Protection

2. Click the UDP tab near the top of the window.

3. Under UDP Settings, set Default UDP Connection Timeout (seconds) to 180.

UCaaS_AddSonicwall_UDPtimeoutSettings.png

Figure 2: UDP Timeout settings (click to enlarge)

Configure address objects and the Cytracom address group

Configure the address objects

Address Objects allow IP addresses to be defined once and re-used in multiple instances throughout the SonicOS interface. You must define the address objects and the group before configuring the QoS option in the Access rules. 

1. In the SonicWALL UI, click the Manage tab at the top of the window.

2.  Click Objects in the left-hand Navigation menu, then select Address Objects

3. Click + ADD, then configure the object as follows:

  • Name: Cytracom Voice 1 (recommended).
  • Zone: WAN.
  • Type: Range.
  • Starting IP Address: 209.105.249.194
  • Ending IP Address: 209.105.249.252

When finished, click Add or OK

UCaaS_Addsonicwall_AddObject.png

Figure 3: The Add Object window (click to enlarge)

4. Configure a second Cytracom Voice object as follows:

  • Name: Cytracom Voice 2 (recommended).
  • Zone: WAN.
  • Type: Range.
  • Starting IP Address: 184.175.130.161
  • Ending IP Address: 184.175.130.186

When finished, click Add or OK

5. Configure a third Cytracom Voice object as follows:

  • Name: Cytracom Voice 3 (recommended).
  • Zone: WAN.
  • Type: Range.
  • Starting IP Address: 205.142.242.20
  • Ending IP Address: 205.142.243.254

When finished, click Add or OK

6. Configure a Cytracom Web object as follows: 

  • Name: Cytracom Web (recommended).
  • Zone: WAN.
  • Type: Range.
  • Starting IP Address: 3.208.72.128
  • Ending IP Address: 3.208.72.158

When finished, click Add or OK.

7. Configure a Firmware Server object as follows (this object requires a change in the Type menu):

  • Name: Cytracom Firmware (recommended).
  • Zone: WAN.
  • Type: Host.
  • IP Address: 54.227.140.71

When finished, click Add or OK

Configure the Cytracom address group

1. In the SonicWALL UI, click the Manage tab at the top of the window.

2.  Click Objects in the left-hand Navigation menu, then select Address Objects

3. Click the Address Groups tab.

4. Click + Add, then use the arrow button to add the address objects you created in the previous step.

When finished, click Add or OK.

UCaaS_AddSonicwall_AddAddressGroup.png

Figure 4: The Address Group window (click to enlarge)

This address group can contain additional Cytracom address objects, such as firmware or configuration, depending on the strictness of implicit rules. For initial configuration purposes, we have only included the DC location objects.  See the firewall best practices guide for more information.

Configure the bandwidth object

Bandwidth Objects allow inbound/outbound bandwidth expectations to be defined one time globally and re-used in multiple instances throughout the SonicOS interface. You musrt define the address object before configuring the BWM option in the Access Rules.

1. In the SonicWALL UI, click the Policies tab at the top of the window.

2.  Click Objects in the left-hand Navigation menu, then select Bandwidth Objects

3. Click + ADD, then configure the object as follows:

  • Name: Cytracom Guarantee (recommended).
  • Guaranteed bandwidth: 100kbps multiplied by the number of phones at that location.
  • Maximum bandwidth: Set to the maximum bandwith provided by your ISP (recommended).
  • Traffic priority: 0 Realtime.
  • Violation Action: Delay.

When finished, click Add or OK.

UCaaS_AddSonicwall_BandwidthObjectSettings.png

Figure 4: Bandwidth Object Settings (click to enlarge)

Configure the outgoing traffic rule

In this step, you will configure options in multiple tabs on the Access Rules page. 

General configuration

1. In the SonicWALL UI, click the Policies tab at the top of the window.

2.  Click Rules in the left-hand Navigation menu, then select Access Rules

3. Click + ADD, then configure the rule as follows:

  • From: LAN.
  • To: WAN.
  • Source Port: Any.
  • Service: Any.
  • Destination: Cytracom Group.
  • Users Included: All.
  • Users excluded: None.
  • Schedule: Always On.
  • Priority: Retain original priority.
  • Enable logging: checked.
  • Enable Seo-IP Filter: unchecked.
  • Enable Botnet Filter: unchecked.
  • Allow Fragmented Packets: Checked.

When finished, click Add or OK.

UCaaS_AddSonicwall_OutgoingTrafficRule.png

Figure 5: Outgoing Traffic Rule configuration (click to enlarge)

Advanced configuration

1. Click the Advanced tab and configure advanced options as follows:

  • Set UDP Connection Inactivity Timeout (seconds) : 180.
  • Create a reflexive rule: checked (if applicable).
  • Disable DPI: checked (If applicable).
  • Disable DPI-SSL Client: checked (If applicable).
  • Disable DPI-SSL Server: checked (If applicable).

When finished, click Add or OK.

UCaaS_AddSonicwall_AdvancedTabConfig.png

Figure 6: Advanced configuration (click to enlarge)

BWM configuration

1. Click the BWM tab and configure advanced options as follows:

  • Enable Egress Bandwidth Management: checked
  • Bandwith Object: Cytracom Guarantee.
  • Enable Egress Bandwidth Management: checked.
  • Bandwith Object: Cytracom Guarantee
  • Enable Tracking Bandwidth Usage: checked.

When finished, click Add or OK.

UCaaS_AddSonicwall_BWMConfig.png

Figure 7: BWM configuration (click to enlarge)

Most SonicWall firmware' versions offer the ability to create a recursive rule. This is necessary to manage bandwidth and ensure incoming RTP streams are given priority. If a recursive rule option is not offered, create a WAN to LAN rule with the same settings as the LAN to WAN rule but with the respective logic reversed.

Disable SIP ALG

Commercial routers implement SIP ALG (application-level gateway). With this feature enabled by default. SIP ALG canhelp solve NAT-related problems. Often, however, SIP ALG implementations are wrong and break SIP.

If SIP ALG is enabled on the SonicWall router, then the following will likely occur:

  • Registration failure
  • Call transfer issues
  • DTMF issues
  • Additional issues, depending on the network setup

To disable SIP ALG:

1. In the SonicWALL UI, click VOIP in the left-hand Navigation menu, then configure the options as follows:

  • Enable consistent NAT: Checked. 
  • Enable SIP Transformations: Unchecked.
  • Enable H.323 Transformations: Unchecked.

When finished, click Accept.

UCaaS_AddSonicwall_DisableSIPALG.png

Figure 8: Disabling SIP ALG (click to enlarge)

Disable SIP URIs to have an explicit port

1. Access internal settings:

  • On Gen 7 appliances: go to https://[ip-address]/sonicui/7/m/mgmt/settings/diag
  • On earlier appliances: In the URL of the firewall (e.g. 192.168.1.1/main.html) change main.html to diag.html.

2. Scroll down to VoIP Settings and uncheck Transform SIP URIs to have an explicit port.

UCaaS_AddSonicwall_DisableSIPURIs.png

Figure 8: Disabling SIP URIs to have an explicit port (click to enlarge)

On Firmware 6.2 and below, uncheck all of the options in this section as they add to CPU usage and slow down SIP signaling.

Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.

Was this article helpful?
19 out of 21 found this helpful