Topic
This article discusses how to set up a SonicWAlll firewall for use with Cytracom UCaaS
Environment
- Cytracom UCaaS
Description
Follow these steps in order to ensure correct configuration.
Refer to our Firewall Best Practices guide for the latest IP address ranges and services.
Index
- Before you begin
- Set up bandwidth management
- Increase system UDP timeout
- Configure address objects and the Cytracom address group
- Configure the outgoing traffic rule
- Disable SIP ALG
- Disable SIP URIs to have an explicit port
Before you begin
We highly recommended that all phone configurations running on a network with a SonicWALL device using firmware of 6.3.X or higher only use port 5060.
Using port 5062 will cause packet loss due to unmodifiable traffic shaping for packets originating on that port. The firewall will not know how to respond to these packets and will drop them instead of forwarding. This does not include NAT Traversal.
Connecting the SonicWALL firewall
To connect the SonicWALL firewall to the network:
- Ensure the modem or other ISP-provided equipment is in bridge mode.
- If the IP address is static, you must load this information into the SonicWall.
- Connect the router to the modem provided by the ISP, ensuring that it is the only device connected. All other devices will connect to the router or a switch connected to the router.
- In most cases, the router can be accessed locally at 192.168.0.1 or 192.168.1.1.
Procedure
Set up bandwidth management
Setting up bandwidth management for the phones is good practice, especially if they share the network with other devices. As an on-demand service, VoIP depends on a stable connection to perform consistently, despite most devices relying on local caching methods which mask ISP network inconsistencies.
1. In the SonicWALL UI, click Firewall Settings in the left-hand Navigation menu, then select Bandwidth Management.
2. Ensure the Bandwidth Management Type is set to Advanced.
When finished, click Save.
Figure 1: Bandwidth Management (click to enlarge)
Increase system UDP timeout
1. In the SonicWALL UI, click Firewall Settings in the left-hand Navigation menu, then select Flood Protection.
2. Click the UDP tab near the top of the window.
3. Under UDP Settings, set Default UDP Connection Timeout (seconds) to 180.
Figure 2: UDP Timeout settings (click to enlarge)
Configure address objects and the Cytracom address group
Configure the address objects
Address Objects allow IP addresses to be defined once and re-used in multiple instances throughout the SonicOS interface. You must define the address objects and the group before configuring the QoS option in the Access rules.
1. In the SonicWALL UI, click the Manage tab at the top of the window.
2. Click Objects in the left-hand Navigation menu, then select Address Objects.
3. Click + ADD, then configure the object as follows:
- Name: Cytracom Voice 1 (recommended).
- Zone: WAN.
- Type: Range.
- Starting IP Address: 209.105.249.194
- Ending IP Address: 209.105.249.252
When finished, click Add or OK.
Figure 3: The Add Object window (click to enlarge)
4. Configure a second Cytracom Voice object as follows:
- Name: Cytracom Voice 2 (recommended).
- Zone: WAN.
- Type: Range.
- Starting IP Address: 184.175.130.161
- Ending IP Address: 184.175.130.186
When finished, click Add or OK.
5. Configure a third Cytracom Voice object as follows:
- Name: Cytracom Voice 3 (recommended).
- Zone: WAN.
- Type: Range.
- Starting IP Address: 205.142.242.20
- Ending IP Address: 205.142.243.254
When finished, click Add or OK.
6. Configure a Cytracom Web object as follows:
- Name: Cytracom Web (recommended).
- Zone: WAN.
- Type: Range.
- Starting IP Address: 3.208.72.128
- Ending IP Address: 3.208.72.158
When finished, click Add or OK.
7. Configure a Firmware Server object as follows (this object requires a change in the Type menu):
- Name: Cytracom Firmware (recommended).
- Zone: WAN.
- Type: Host.
- IP Address: 54.227.140.71
When finished, click Add or OK.
Configure the Cytracom address group
1. In the SonicWALL UI, click the Manage tab at the top of the window.
2. Click Objects in the left-hand Navigation menu, then select Address Objects.
3. Click the Address Groups tab.
4. Click + Add, then use the arrow button to add the address objects you created in the previous step.
When finished, click Add or OK.
Figure 4: The Address Group window (click to enlarge)
This address group can contain additional Cytracom address objects, such as firmware or configuration, depending on the strictness of implicit rules. For initial configuration purposes, we have only included the DC location objects. See the firewall best practices guide for more information.
Configure the bandwidth object
Bandwidth Objects allow inbound/outbound bandwidth expectations to be defined one time globally and re-used in multiple instances throughout the SonicOS interface. You musrt define the address object before configuring the BWM option in the Access Rules.
1. In the SonicWALL UI, click the Policies tab at the top of the window.
2. Click Objects in the left-hand Navigation menu, then select Bandwidth Objects.
3. Click + ADD, then configure the object as follows:
- Name: Cytracom Guarantee (recommended).
- Guaranteed bandwidth: 100kbps multiplied by the number of phones at that location.
- Maximum bandwidth: Set to the maximum bandwith provided by your ISP (recommended).
- Traffic priority: 0 Realtime.
- Violation Action: Delay.
When finished, click Add or OK.
Figure 4: Bandwidth Object Settings (click to enlarge)
Configure the outgoing traffic rule
In this step, you will configure options in multiple tabs on the Access Rules page.
General configuration
1. In the SonicWALL UI, click the Policies tab at the top of the window.
2. Click Rules in the left-hand Navigation menu, then select Access Rules.
3. Click + ADD, then configure the rule as follows:
- From: LAN.
- To: WAN.
- Source Port: Any.
- Service: Any.
- Destination: Cytracom Group.
- Users Included: All.
- Users excluded: None.
- Schedule: Always On.
- Priority: Retain original priority.
- Enable logging: checked.
- Enable Seo-IP Filter: unchecked.
- Enable Botnet Filter: unchecked.
- Allow Fragmented Packets: Checked.
When finished, click Add or OK.
Figure 5: Outgoing Traffic Rule configuration (click to enlarge)
Advanced configuration
1. Click the Advanced tab and configure advanced options as follows:
- Set UDP Connection Inactivity Timeout (seconds) : 180.
- Create a reflexive rule: checked (if applicable).
- Disable DPI: checked (If applicable).
- Disable DPI-SSL Client: checked (If applicable).
- Disable DPI-SSL Server: checked (If applicable).
When finished, click Add or OK.
Figure 6: Advanced configuration (click to enlarge)
BWM configuration
1. Click the BWM tab and configure advanced options as follows:
- Enable Egress Bandwidth Management: checked
- Bandwith Object: Cytracom Guarantee.
- Enable Egress Bandwidth Management: checked.
- Bandwith Object: Cytracom Guarantee
- Enable Tracking Bandwidth Usage: checked.
When finished, click Add or OK.
Figure 7: BWM configuration (click to enlarge)
Most SonicWall firmware' versions offer the ability to create a recursive rule. This is necessary to manage bandwidth and ensure incoming RTP streams are given priority. If a recursive rule option is not offered, create a WAN to LAN rule with the same settings as the LAN to WAN rule but with the respective logic reversed.
Disable SIP ALG
Commercial routers implement SIP ALG (application-level gateway). With this feature enabled by default. SIP ALG canhelp solve NAT-related problems. Often, however, SIP ALG implementations are wrong and break SIP.
If SIP ALG is enabled on the SonicWall router, then the following will likely occur:
- Registration failure
- Call transfer issues
- DTMF issues
- Additional issues, depending on the network setup
To disable SIP ALG:
1. In the SonicWALL UI, click VOIP in the left-hand Navigation menu, then configure the options as follows:
- Enable consistent NAT: Checked.
- Enable SIP Transformations: Unchecked.
- Enable H.323 Transformations: Unchecked.
When finished, click Accept.
Figure 8: Disabling SIP ALG (click to enlarge)
Disable SIP URIs to have an explicit port
1. Access internal settings:
- On Gen 7 appliances: go to https://[ip-address]/sonicui/7/m/mgmt/settings/diag
- On earlier appliances: In the URL of the firewall (e.g. 192.168.1.1/main.html) change main.html to diag.html.
2. Scroll down to VoIP Settings and uncheck Transform SIP URIs to have an explicit port.
Figure 8: Disabling SIP URIs to have an explicit port (click to enlarge)
On Firmware 6.2 and below, uncheck all of the options in this section as they add to CPU usage and slow down SIP signaling.
Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.