HP 3Com VCX IP Telecommuting Module Quick Start Guide

Download

3Com VCX IP Telecommuting

Module

Getting started Guide

3Com VCX IP Telecommuting Module: Getting started Guide

Part Number BETA

Published April 2009

3Com Corporation, 350 Campus Drive, Marlborough MA 01752-3064

form or by any means or used to make any derivative work (such as translation, transformation, or adaptation)

without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time

without obligation on the part of 3Com Corporation to provide notiﬁcation of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or

expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory

quality, and ﬁtness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the

program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license

agreement included with the product as a separate document, in the hardcopy documentation, or on the removable

media in a directory ﬁle named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact

3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are

provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software

is delivered as "Commercial Computer Software" as deﬁned in DFARS 252.227-7014 (June 1995) or as a

"commercial item" as deﬁned in FAR 2.101(a) and as such is provided with only such rights as are provided in

3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided

in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove

or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to

you in conjunction with, this guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be

registered in other countries.

3Com, the 3Com logo, NBX, and SuperStack are registered trademarks of 3Com Corporation. NBX NetSet, pcXset,

and VCX are trademarks of 3Com Corporation.

Adobe is a trademark and Adobe Acrobat is a registered trademark of Adobe Systems Incorporated. Microsoft,

Windows, Windows 2000, Windows NT, and Microsoft Word are registered trademarks of Microsoft Corporation.

All other company and product names may be trademarks of the respective companies with which they are associated.

Part I. Installation of the 3Com VCX IP Telecommuting Module ...................................i

1. Introduction................................................................................................................1

2. Overview of the Installation.......................................................................................3

3. Installing 3Com VCX IP Telecommuting Module ....................................................5

Part II. Conﬁguring 3Com VCX IP Telecommuting Module ........................................ 15

4. Network Conﬁguration ............................................................................................17

5. SIP Conﬁguration ....................................................................................................35

6. Administration of the Telecommuting Module........................................................47

7. Firewall and Client Conﬁguration............................................................................57

Index ............................................................................................................................61

Part I. Installation of the 3Com

VCX IP Telecommuting Module

This document will help you to get started with your 3Com VCX IP Telecommuting Module. It contains the necessary information to conﬁgure your Telecommuting Module.

Additional information about managing your 3Com VCX IP Telecommuting Module can be found in the Reference Guide.

These chapters contain an introduction to the 3Com VCX IP Telecommuting Module, descriptions of the various models and information about how to install your Telecommuting Module.

Chapter 1. Introduction

What is a Telecommuting Module?

A Telecommuting Module is a device which processes trafﬁc under the SIP protocol (see RFC 3261). The Telecommuting Module receives SIP requests, processes them according to the rules you have set up, and forwards them to the receiver.

The Telecommuting Module connects to an existing enterprise ﬁrewall through a DMZ port, enabling the transmission of SIP-based communications without affecting ﬁrewall security. SIP messages are then routed through the ﬁrewall to the private IP addresses of authorized users on the internal network.

The Telecommuting Module can also be used as an extra gateway to the internal network without connecting to the ﬁrewall, transmitting only SIP-based communications.

Conﬁguration alternatives

The 3Com VCX IP Telecommuting Module can be connected to your network in three different ways, depending on your needs.

Note that if the Standalone type is used, the interface which should receive trafﬁc from the outside must have a public IP address (no NAT).

For a DMZ or DMZ/LAN type which uses a private IP address on the interface connected to the DMZ of the ﬁrewall, its corresponding public IP address must be entered on the Interoperability page.

DMZ Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with only one interface. The SIP trafﬁc ﬁnds its way to the Telecommuting Module using DNS or by setting the Telecommuting Module as an outbound proxy on the clients.

This is the most secure conﬁguration, since all trafﬁc goes through both your ﬁrewall and your Telecommuting Module. It is also the most ﬂexible, since all networks connected to any of your ﬁrewall’s interfaces can be SIP-enabled.

The drawback is that the SIP trafﬁc will pass the ﬁrewall twice, which can decrease performance.

Chapter 1. Introduction

Fig 1. Telecommuting Module in DMZ conﬁguration.

DMZ/LAN Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with one of the interfaces. The other interfaces are connected to your internal networks. The Telecommuting Module can handle several networks on the internal interface even if they are hidden behind routers.

This conﬁguration is used to enhance the data throughput, since the trafﬁc only needs to pass your ﬁrewall once.

Fig 2. Telecommuting Module in DMZ/LAN conﬁguration.

Standalone Conﬁguration

Using this conﬁguration, the Telecommuting Module is connected to the outside on one interface and your internal networks on the others.

Use this conﬁguration only if your ﬁrewall lacks a DMZ interface, or for some other reason cannot be conﬁgured for the DMZ or DMZ/LAN alternatives.

Fig 3. Telecommuting Module in Standalone conﬁguration.

Chapter 2. Overview of the Installation

• Now you can see the main page of 3Com VCX IP Telecommuting Module. Click on the

Telecommuting Module Type link and select the conﬁguration for your Telecommuting Module. The types are described on the corresponding help page.

• Go to the Basic Conﬁguration page and enter a DNS server. See also the Basic Conﬁg-

uration section.

• Go to the Access Control page and make settings for the conﬁguration of the Telecom-

muting Module. See also the Access Control section.

• Go to the Network Interface 1 page under Network Conﬁguration and enter the neces-

sary conﬁguration. See also the Interface section. Note that the Telecommuting Module must have at least one IP address which can be reached from the Internet.

• If one of the Telecommuting Module Types DMZ/LAN or Standalone was chosen, move

on to the Network Interface 2 page and give the Telecommuting Module at least one IP address on this interface and state the networks connected to the interface. See also the Interface section.

• Go to the Default Gateway page and enter a Default gateway. See also the Default

Gateway section.

• Go to the Networks and Computers page. Deﬁne the networks that will send and receive

SIP trafﬁc using the Telecommuting Module. Usually, you need at least one network per interface of the ﬁrewall connected to the Telecommuting Module (or, for the Standalone type, per interface of the Telecommuting Module). Some computers should be handled separately, and they therefore need their own networks. See also the Networks and Computers section.

• Go to the Surroundings page (for the DMZ Telecommuting Module Type) and state the

networks connected to the ﬁrewall. See also the Surroundings section in chapter 8 of the User Manual.

• Go to Basic Settings under SIP Services and switch the SIP module on. Enter the port

range to be used by the Telecommuting Module for the media streams. See also the Basic Settings section.

• Go to the Filtering page under SIP Trafﬁc to create Proxy rules for the SIP trafﬁc from

different networks and allow the content types which should be allowed in the SIP media streams. See also the Filtering section.

• Go to the Interoperability page. Set URI Encoding to "Keep username in URIs".

• Go to the Save/Load Conﬁguration page under Administration. Select Apply conﬁgu-

ration. Now you can test your new conﬁguration and save it permanently if you are satisﬁed with it. If the conﬁguration is not satisfactory, select Revert or restart the Telecommuting Module. The old conﬁguration will remain.

• When the conﬁguration has been applied, you should save a backup to ﬁle. Press Save to

local ﬁle to save the conﬁguration.

When the Telecommuting Module is conﬁgured, the ﬁrewall connected to it must also be reconﬁgured (for the DMZ and DMZ/LAN Telecommuting Module Types).

Chapter 2. Overview of the Installation

• Allow UDP and TCP trafﬁc in the port interval used for media streams by the Telecom-

muting Module, and port 5060. This trafﬁc must be allowed to all networks which should be reached by SIP trafﬁc.

See also the chapter titled Firewall and Client Conﬁguration, for information on conﬁguring the ﬁrewall and the SIP clients.

About settings in 3Com VCX IP Telecommuting Module

3Com VCX IP Telecommuting Module uses two sets of Telecommuting Module conﬁgurations: preliminary and permanent conﬁguration. The permanent conﬁguration is what is used in the active Telecommuting Module. The preliminary conﬁguration is where you change and set the conﬁguration. See chapter 3 of the User Manual for instructions.

The changes you make in the preliminary conﬁguration are not stored in the permanent conﬁguration until you click on Apply conﬁguration on the Save/Load Conﬁguration page under Administration.

The password conﬁguration and time setting are the exceptions to this rule; they are saved immediately. Change the administrator passwords and create more administrator users on the User Administration page under Administration.

3Com VCX IP Telecommuting Module displays serious errors in red, e.g., if mandatory information is not entered. Blank ﬁelds are shown in red. Fields that you correct remain red until you select Save, Add new rows or update the page in some other way.

If you have a web connection with the Telecommuting Module that is inactive for 10 minutes, it will ask for a password again.

Always log out from the Telecommuting Module administration interface when you are not using it. Press the Log out button on the left to log out.

The terms used in the book are explained in appendix C of the User Manual.

For a general description of how to conﬁgure and administer the Telecommuting Module, see chapter 3 of the User Manual.

License Conditions

To fulﬁll the license conditions, we must either attach the source code with the software, or send a written offer, valid at least three years, to give a copy of the source code to anyone who wants it. According to 3b) of the license, we are entitled to charge for the distribution of the source code.

3Com Corporation offer the source code for all third party software included in 3Com VCX IP Telecommuting Module and licensed under GPL. This offer is valid for this version of 3Com VCX IP Telecommuting Module and is valid for three years after deliverance of your 3Com VCX IP Telecommuting Module unit. Contact 3Com Corporation for current information.

Chapter 3. Installing 3Com VCX IP Telecommuting Module

Installation

There are three ways to install an 3Com VCX IP Telecommuting Module: using a serial cable, using a diskette or perform a magic ping.

Installation with a serial cable or a diskette requires being at the same place as the Telecommuting Module, but will give more options for the start conﬁguration.

Installation with magic ping does not require being on the same place as the Telecommuting Module (but the computer has to be connected to the same logical network as the Telecommuting Module), but restricts the start conﬁguration.

Installation with magic ping

You can use the magic ping to set an IP address for the Telecommuting Module. This is how to perform a magic ping:

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Connect the network cables to the network interfaces.

• Find out the MAC address of the Telecommuting Module (printed on the Telecommuting

Module label). This is the MAC address of Network Interface 1.

• Add a static entry in your local ARP table consisting of the Telecommuting Module’s

MAC address and the IP address it should have on eth0.

This is how to add a static ARP entry if you use a Windows computer:

Run the command command (or cmd).

In the Command window, enter the command arp -s ipaddress macaddress where ipad- dress is the new IP address for the eth0 interface, and macaddress is the MAC address printed on the Telecommuting Module, but with all colons (:) replaced with dashes (-).

• Ping this IP address to give the Telecommuting Module its new IP address. You should

receive a ping reply if the address distribution was successful.

• Conﬁgure the rest through a web browser.

The magic ping will not set any password. Set a password immediately via the web user interface. Before any conﬁguration has been made, only the computer which performed the magic ping will be able to conﬁgure the 3Com VCX IP Telecommuting Module.

Installation with a serial cable

These steps are performed when installing with a serial cable:

Chapter 3. Installing 3Com VCX IP Telecommuting Module

• Connect the Telecommuting Module to your workstation with the enclosed serial cable.

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Log on from your workstation.

• Run the installation program (see following instructions).

• Connect the network cables to the network interfaces.

• Conﬁgure the rest through a web browser.

Connect the Telecommuting Module to your workstation with the enclosed serial cable, plug in the power cord and turn the Telecommuting Module on. You will have to wait a few minutes while it boots up.

• If you use a Windows workstation, connect like this: Start Hyperterm. A Location dia-

logue will show, asking for your telephone number and area. Click Cancel followed by Yes. Then you will be asked to make a new connection. Type a name for this connection, select an icon and click OK. The Location dialogue will show again, so click Cancel followed by Yes.

Now you can select Connect using COM1 and click OK. A Port settings dialogue will show, where you select 19200 as Bits per second. Use the default conﬁguration for all other settings. Click OK and wait for a login prompt. (In some cases you have to press Return to get the login prompt.)

• If you use a Linux workstation, connect like this: Make sure that there is a symbolic

link named /dev/modem which points to the serial port you connected the Telecommuting Module to. Connect using minicom with the bit rate 19200 bits/s, and wait for a login prompt.

Log on as the user admin. The ﬁrst time you log on, no password is required. You set the password when you run the installation script, which starts automatically when you have logged on.

Each network interface is marked with a name (1 and 2), which corresponds to a tab under Network Conﬁguration. All eth interfaces belong to ethernet cards and should only be connected using ethernet cables.

Decide which computer(s) are allowed to conﬁgure 3Com VCX IP Telecommuting Module and enter the name of the network interface to which they are connected, for example, eth0. You must use the physical device name (eth0 and eth1).

Enter the IP address of the Telecommuting Module on this interface and the network mask for the network.

A network mask can be written in two ways in 3Com VCX IP Telecommuting Module:

• The ﬁrst looks just like an IP address, for example 255.255.192.0 or 255.255.254.0.

Chapter 3. Installing 3Com VCX IP Telecommuting Module

• The other way is as a number between 0 and 32. An IP address has 32 bits, where the

number of the network mask indicates how many bits are used in the network’s addresses. The rest of the bits identiﬁes the computer on the network.

Now, you can select to deactivate any network interfaces. Select y to deactivate all interfaces but the one you just conﬁgured. The remaining network interfaces can be activated later when you complete the conﬁguration via the web interface from your work station. This only applies to interfaces which was previously active; you can’t activate interfaces with this setting.

Now enter the computer or computers from which the Telecommuting Module may be conﬁgured (the conﬁguration computers).

Then enter a password for the Telecommuting Module. This is the password you use in your web browser to access and change the Telecommuting Module’s conﬁguration. Finally, you can reset all other conﬁguration if you want to.

Following is a sample run of the installation program.

3Com VCX IP Telecommuting Module Administration

1. Basic conﬁguration

2. Save/Load conﬁguration

5. Wipe email logs

6. Set password

7. Command line interface a. About q. Exit admin ==>

Select 1 to install your 3Com VCX IP Telecommuting Module.

Basic unit installation program version 4.6.5

Press return to keep the default value

Network conﬁguration inside:

Physical device name[eth0]: IP address [0.0.0.0]: 10.47.2.242 Netmask/bits [255.255.255.0]: 255.255.0.0 Deactivate other interfaces? (y/n) [n]

Computers from which conﬁguration is allowed:

You can select either a single computer or a network.

Conﬁgure from a single computer? (y/n) [y]

Chapter 3. Installing 3Com VCX IP Telecommuting Module

If you choose to allow only one computer to conﬁgure the Telecommuting Module, you are asked for the IP address (the mask is set automatically).

IP address [0.0.0.0]: 10.47.2.240

If this IP address is not on the same network as the IP address of the Telecommuting Module, you are asked for the router. Enter the IP address of the router on the network where the Telecommuting Module is connected. Then enter the network address and mask of the network containing the conﬁguring computer.

Static routing: The computer allowed to conﬁgure from is not on a network local to this unit. You must conﬁgure a static route to it. Give the IP address of the router on the network the unit is on.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

You can choose to allow several computers to conﬁgure the Telecommuting Module, by answering no to the question:

Conﬁgure from a single computer? (y/n) [y] n

The installation program then asks for the network number. The conﬁguration computers must be entered as a complete subnet, i. e. a range which can be written as a network number and a netmask (like 10.47.2.128 with netmask 255.255.255.128, which means the computers

10.47.2.128-10.47.2.255). All computers on this subnet will be allowed to conﬁgure the Telecommuting Module. For more information about network numbers and netmasks, see chapter 3 of the User Manual.

Network number [0.0.0.0]: 10.47.2.0 Netmask/bits [255.255.255.0]: 255.255.255.0

If the network or partial network is not directly connected to the Telecommuting Module, you must enter the IP address of the router leading to that network. Then enter the network’s address and mask.

Static routing: The network allowed to conﬁgure from is not on a network local to this unit. You must conﬁgure a static route to it. Give the IP address of the router on the network this unit is on.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

Then enter a password.

Chapter 3. Installing 3Com VCX IP Telecommuting Module

Password []:

Finally, you are asked if you want to reset other conﬁguration.

Other conﬁguration Do you want to reset the rest of the conﬁguration? (y/n) [n]

If you answer n, nothing is removed. If you answer y, you have three alternatives to select from:

1. Clear as little as possible. This is the alternative that is used if you answer n to the

question above. Both the preliminary and the permanent conﬁgurations will be updated with the conﬁguration speciﬁed above.

2. Revert to the factory conﬁguration and then apply the conﬁguration speciﬁed above. This will affect the permanent but not the preliminary conﬁguration.

3. Revert to the factory conﬁguration and empty all logs and then apply the conﬁguration speciﬁed above. Both the preliminary and the permanent conﬁgurations will be affected.

Select the update mode, which is what you want to remove.

Update mode (1-3) [1]:

All conﬁguration is now complete. The installation program shows the conﬁguration and asks if it is correct.

yes saves the conﬁguration.

no runs the installation program over again.

abort ends the installation program without saving.

You have now entered the following conﬁguration

Network conﬁguration inside:

Physical device name: eth0 IP address: 192.168.150.2 Netmask: 255.255.255.0 Deactivate other interfaces: no

Computer allowed to conﬁgure from:

IP address: 192.168.128.3

Password: eeyore

The rest of the conﬁguration is kept.

Is this conﬁguration correct (yes/no/abort)? yes

Chapter 3. Installing 3Com VCX IP Telecommuting Module

Now, ﬁnish conﬁguration of the Telecommuting Module from the computer/computers speciﬁed in the installation program.

Installation with a diskette

These steps are performed when installing with a diskette:

• Select an IP address and store it on the installation diskette as described below.

• Insert the installation diskette into the Telecommuting Module’s ﬂoppy drive.

• Plug in the power cord and turn the Telecommuting Module on.

• Connect the network cables to the network interfaces.

• Wait while the Telecommuting Module boots up.

• Conﬁgure the rest through a web browser.

You must ﬁrst insert the diskette into your PC. If the PC is running Windows, open a Command window and run the ﬁnst-en script from the diskette. If the PC is running Linux, mount the diskette, change directory to the mounted one, and run the ﬁnst-en script.

Enter the IP address of the Telecommuting Module on this interface and the network mask for the network.

A network mask can be written in two ways in 3Com VCX IP Telecommuting Module:

• The ﬁrst looks just like an IP address, for example 255.255.192.0 or 255.255.254.0.

• The other way is as a number between 0 and 32. An IP address has 32 bits, where the

number of the network mask indicates how many bits are used in the network’s addresses. The rest of the bits identiﬁes the computer on the network.

Now enter the computer or computers from which the Telecommuting Module may be conﬁgured (the conﬁguration computers).

Following is a sample run of the installation program on the diskette.

Chapter 3. Installing 3Com VCX IP Telecommuting Module

Basic unit installation program version 4.6.5

Press return to keep the default value

Network conﬁguration inside:

Physical device name[eth0]: IP address [0.0.0.0]: 10.47.2.242 Netmask/bits [255.255.255.0]: 255.255.0.0 Deactivate other interfaces? (y/n) [n]

Computers from which conﬁguration is allowed:

You can select either a single computer or a network.

Conﬁgure from a single computer? (y/n) [y]

If you choose to allow only one computer to conﬁgure the Telecommuting Module, you are asked for the IP address (the netmask is set automatically).

IP address [0.0.0.0]: 10.47.2.240

If this IP address is not on the same network as the inside of the Telecommuting Module, you are asked for the router. Enter the IP address of the router on the network where the Telecommuting Module is connected. Now enter the network address and mask of the network containing the conﬁguring computer.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

You can choose to allow several computers to conﬁgure the Telecommuting Module, by answering no to the question:

Conﬁgure from a single computer? (y/n) [y] n

The installation program then asks for the network number. The network number is the lowest IP address in the series of numbers that includes the conﬁguration computers (see chapter 3 of the User Manual). The network mask determines the number of computers that can act as conﬁguration computers.

Network number [0.0.0.0]: 10.47.2.0 Netmask/bits [255.255.255.0]: 255.255.255.0

Chapter 3. Installing 3Com VCX IP Telecommuting Module

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

Then enter a password.

Password []:

Finally, you are asked if you want to reset other conﬁguration.

Other conﬁguration Do you want to reset the rest of the conﬁguration? (y/n) [n]

If you answer n, nothing is removed. If you answer y, you have three alternatives to select from:

1. Clear as little as possible. This is the alternative that is used if you answer n to the question above. Both the preliminary and the permanent conﬁgurations will be updated with the conﬁguration speciﬁed above.

2. Revert to the factory conﬁguration and then apply the conﬁguration speciﬁed above. This will affect the permanent but not the preliminary conﬁguration.

3. Revert to the factory conﬁguration and empty all logs and then apply the conﬁguration speciﬁed above. Both the preliminary and the permanent conﬁgurations will be affected.

Select the update mode, which is what you want to remove.

Update mode (1-3) [1]:

All conﬁguration is now complete. The installation program shows the conﬁguration and asks if it is correct.

yes saves the conﬁguration.

no runs the installation program over again.

abort ends the installation program without saving.

Now, eject the diskette from your PC and insert it into the Telecommuting Module’s ﬂoppy drive. Then power up the Telecommuting Module and wait for it to boot. Then, ﬁnish conﬁguration of the Telecommuting Module from the computer/computers speciﬁed in the installation program.

Chapter 3. Installing 3Com VCX IP Telecommuting Module

Note that the diskette contains a command to erase certain parts of the conﬁguration during boot when the diskette is inserted. Make sure to eject it once the Telecommuting Module has booted up to avoid future loss of data.

If you happen to forget the administrator password for the Telecommuting Module, you can insert the diskette into the Telecommuting Module again and boot it. Note that if you selected anything but 1 as the update mode, you will lose conﬁguration when doing this.

Turning off a Telecommuting Module

Backup the Telecommuting Module conﬁguration (just in case something should happen). You do this on the Save/Load Conﬁguration page under Administration. Once this is done, just turn the computer off. The computer that runs 3Com VCX IP Telecommuting Module is specially designed so that you can switch it off without causing any problems in the ﬁle structure.

Remember to lock up the Telecommuting Module

The Telecommuting Module is a computer with special software, and must be protected from unauthorized physical access just as other computers performing critical tasks. A locked up Telecommuting Module protects against:

• connecting to the console

• connecting a keyboard and monitor

• changing the administrator password using the installation diskette.

• changing BIOS conﬁguration to allow the Telecommuting Module to be booted from a

diskette

For more information about the necessary conﬁguration, see chapter 3 of the User Manual.

Chapter 3. Installing 3Com VCX IP Telecommuting Module

Part II. Conﬁguring 3Com VCX

IP Telecommuting Module

These chapters contain information about how to conﬁgure your 3Com VCX IP Telecommuting Module, once it has been installed. All conﬁguration is made through the web interface of the Telecommuting Module.

The conﬁguration described in these chapters is basic for making the Telecommuting Module work. For descriptions of more advanced Telecommuting Module functions, please refer to the User Manual.

Chapter 4. Network Conﬁguration

First, the Telecommuting Module must be conﬁgured to be aware of the network in which it operates. This is performed on the Network Conﬁguration pages. The important pages for getting started are Telecommuting Module Type, Interface (Network Interface 1 and 2), Default Gateway, Networks and Computers and (for the DMZ Telecommuting Module Type) Surroundings.

You will also need to add DNS conﬁguration on the Basic Conﬁguration page under Basic

Conﬁguration

Telecommuting Module Type

The Telecommuting Module can be connected to your network in different ways, depending on your needs. On this page, you state what conﬁguration you have.

DMZ Conﬁguration

The drawback is that the SIP trafﬁc will pass the ﬁrewall twice, which can decrease performance.

On your ﬁrewall, you need to open the SIP port (normally UDP port 5060) and a range of UDP ports for RTP trafﬁc between the Telecommuting Module and the Internet as well as between the Telecommuting Module and your internal networks. The SIP trafﬁc ﬁnds its way to the Telecommuting Module using DNS or by setting the Telecommuting Module as an outbound proxy on the clients.

The ﬁrewall mustn’t use NAT for the trafﬁc between the Telecommuting Module and your internal networks or for the trafﬁc between the Telecommuting Module and the Internet. However, the Telecommuting Module can itself use NAT for trafﬁc to the Internet.

You need to declare your internal network topology on the Surroundings page.

Chapter 4. Network Conﬁguration

DMZ/LAN Conﬁguration

This conﬁguration is used to enhance the data throughput, since the trafﬁc only needs to pass your ﬁrewall once.

On your ﬁrewall, you need to open the SIP port (normally UDP port 5060) and a range of UDP ports for RTP trafﬁc between the Telecommuting Module and the Internet. The other interface is connected to your internal network. The Telecommuting Module can handle several networks on the internal interface even if they are hidden behind routers. No networks on other interfaces on the ﬁrewall can be handled.

Internal users have to conﬁgure the Telecommuting Module as outbound proxy, or an internal proxy has to use the Telecommuting Module as outbound proxy.

The Telecommuting Module derives information about your network topology from the interface conﬁguration.

Standalone Conﬁguration

Using this conﬁguration, the Telecommuting Module is connected to the outside on one interface and your internal networks on the others.

Use this conﬁguration only if your ﬁrewall lacks a DMZ interface, or for some other reason cannot be conﬁgured for the DMZ or DMZ/LAN alternatives.

Internal users have to conﬁgure the Telecommuting Module as outbound proxy, or an internal proxy has to use the Telecommuting Module as outbound proxy. No change in the ﬁrewall conﬁguration is needed.

Chapter 4. Network Conﬁguration

The Telecommuting Module derives information about your network topology from the interface conﬁguration.

Telecommuting Module Type conﬁguration

Current Telecommuting Module Type

Shows which type is currently active.

Change Telecommuting Module Type to

Select a new Telecommuting Module Type here.

Change type

Press the Change type button to set the new Telecommuting Module Type. This setting, like others, must be applied on the Save/Load Conﬁguration page before it affects the Telecommuting Module functionality.

Interface (Network Interface 1 and 2)

There is a page for each network interface (Network Interface 1 and 2) on the Telecommuting Module. Select a page to make conﬁguration for that interface. There is also a page where conﬁguration for all interfaces can be viewed and changed.

Here, you set the interface name, whether the interface is on or off, the IP address, alias, and static routing.

For each interface, go to Directly Connected Networks and state the IP address of the Telecommuting Module and the size of the network connected to this interface.

General

Chapter 4. Network Conﬁguration

Physical device

Physical device tells the physical device name of the network interface.

Status

Specify if this network interface is On or Off. If the interface is off, all conﬁguration on this page is ignored, and the Telecommuting Module will behave as if this interface wasn’t present.

Interface name

The network Interface name is only used internally in the Telecommuting Module, e. g. when conﬁguring Networks and Computers.

Obtain IP Address Dynamically

Specify if this network interface should obtain its IP address from a DHCP or PPPoE server instead of an address entered on this page. If DHCP client ON is selected, the Telecommuting Module will send out a DHCP request when you apply the conﬁguration and at boot. The request is sent out to the network connected to this interface. If no IP address is obtained, the Telecommuting Module will keep on sending requests until an address lease is received.

The Telecommuting Module will accept an IP address and a netmask via DHCP. It will also accept a default gateway, if you conﬁgured for that in the Main Default Gateways table on the Default Gateway page.

If PPPoE client ON is selected, the Telecommuting Module will send out a PPPoE request when you apply the conﬁguration and at boot. To obtain an IP address via PPPoE, you also need to enter conﬁguration on the PPPoE page.

More than one interface can obtain its IP address dynamically.

Directly Connected Networks

The Telecommuting Module must have an IP address on every network to which it is directly connected. This applies to all networks on the same physical network to which this interface is connected.

When the DHCP client is on, there must be a directly connected network with "*" as the DNS name/IP address, and where the Netmask/bits ﬁeld is left empty. No other directly connected networks are allowed for this interface.

Chapter 4. Network Conﬁguration

Name

A name for this IP address. You can use this name when conﬁguring VPN. This name is only used internally in the Telecommuting Module.

DNS Name Or IP Address

The name/IP address of the Telecommuting Module on this network interface on this directly connected network. If a name is entered, you must enter the IP address for a name server on the Basic Conﬁguration page.

IP address

Shows the IP address of the DNS Name Or IP Address you entered in the previous ﬁeld.

Netmask/Bits

Enter the mask of the network where the DNS Name Or IP Address applies.

Network address

The IP address of the network where the DNS Name Or IP Address applies.

Broadcast address

Shows the broadcast address of the network in the Network address ﬁeld.

VLAN Id

VLANs are used for clustering IP ranges into logical networks. A VLAN id is simply a number, which identiﬁes the VLAN uniquely within your network.

Enter a VLAN id for this network. You don’t need to use a named VLAN (deﬁned on the VLAN page).

VLAN Name

If you entered the VLAN id of a named VLAN, the name will show here.

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

If the interface should obtain its IP address from a DHCP server, the settings should be like in the image below. With a DHCP IP, no aliases can be deﬁned for the interface.

Chapter 4. Network Conﬁguration

Alias

3Com VCX IP Telecommuting Module can use extra IP addresses, aliases, on its interfaces. All alias IP addresses must belong to one of the Directly Connected Networks you have speciﬁed.

Aliases are necessary for setting up a STUN server.

If the interface obtains its IP address dynamically, no aliases can be deﬁned.

Name

Enter the name of your alias. This name is only used internally in the Telecommuting Module.

DNS Name Or IP Address

Enter the IP address of this alias, or a name in the DNS. If you enter a DNS name instead of an IP address, you must enter the IP address of a DNS server on the Basic Conﬁguration page.

IP address

Shows the IP address of the DNS Name Or IP Address you entered in the previous ﬁeld.

Chapter 4. Network Conﬁguration

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Static Routing

If there is a router between the Telecommuting Module and a computer network which the Telecommuting Module is serving, you must name the router and the network here. The table is sorted by network number and network mask.

The Default gateway, conﬁgured on the Default Gateway page, will automatically be entered in this table on the corresponding interface page, when added to the Main Default Gateways table.

If the interface obtains its IP address dynamically, no other static routes can be deﬁned.

Routed network

Enter the DNS name or IP address of the routed network under DNS Name Or Network Address.

The IP address of the routed network is shown under Network address.

In the Netmask/Bits ﬁeld, enter the netmask of the network.

Router

The name or IP address of the router that will be used for routing to the network. If there are several routers between the Telecommuting Module and the network, ﬁll in the router closest to the Telecommuting Module.

If an interface will receive its IP address from a DHCP server, the Telecommuting Module will get its default gateway from the server. In this case, select the corresponding IP address under Dynamic.

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Chapter 4. Network Conﬁguration

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves all Interface conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

This button will only be visible if a DNS server has been conﬁgured.

Default Gateway

Main Default Gateways

The Default gateway is the IP address of the router that is used to contact the outside world. This IP address is usually the ﬁrewall. Default gateway must be an IP address from one of the Directly Connected Networks of the Telecommuting Module’s interfaces. See appendix C of the User Manual, for further description of routers/gateways.

The Telecommuting Module must have at least one default gateway to work.

You can enter more than one default gateway. The Telecommuting Module will use one of them until it stops responding, and then switch to the next one.

Priority

If you entered more than one default gateway, you can assign a priority to each of them. The Telecommuting Module will use the gateway with the highest priority (lowest number) when it works. If it stops working, the Telecommuting Module will switch to the next in priority, while checking the ﬁrst for availability. When the ﬁrst gateway works again, the Telecommuting Module will switch back to using that.

Chapter 4. Network Conﬁguration

Dynamic

If an interface will receive its IP address from a DHCP server, the Telecommuting Module will get its default gateway from the server. In this case, select the corresponding IP address here.

DNS Name Or IP Address

Enter the DNS name or IP address for the default gateway. If an interface will receive its IP address from a DHCP server, the Telecommuting Module will get its default gateway from the server. In this case, leave this ﬁeld empty.

IP address

Shows the IP address of the DNS Name Or IP Address you entered in the previous ﬁeld.

Interface

Select the interface connected to the Telecommuting Module default gateway.

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Policy For Packets From Unused Gateways

This policy controls how packets from the currently unused gateway(s) should be treated. The packet can be allowed (subject to the rest of the conﬁguration) or discarded.

The Discard IP packets selection means that the Telecommuting Module ignores the IP packets without replying that the packet did not arrive.

The Allow IP packets selection makes the Telecommuting Module use the rest of the conﬁguration to decide if the packet should be allowed.

Gateway Reference Hosts

The gateway reference hosts are used by the Telecommuting Module to check if the gateways are alive. For each reference host, test ping packets are sent, using the different gateways.

Reference hosts are not needed if you have entered a single default gateway.

Chapter 4. Network Conﬁguration

DNS Name Or IP Address

Enter the DNS name or IP address for the reference host. The reference host must be located on the other side of the default gateway.

IP address

Shows the IP address of the DNS Name Or IP Address you entered in the previous ﬁeld.

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves the Default Gateway conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and reset changes in old rows.

Networks and Computers

Here, you name groups of computers and networks. Sometimes it can be useful to give a group of computers a network name, such as Administration. If you want to group some computers, this can be done here, even if they do not have consecutive IP addresses. You can also include a subgroup when deﬁning a new network group.

The names are used when you conﬁgure Surroundings, Filtering and Local Registrar.

Every group of computers which can reach each other without having to pass through the ﬁrewall needs a separate network group.

The rows are sorted in alphabetical order, except that all upper case letters are sorted before lower case letters (B comes before a).

When using an already deﬁned group as a subgroup, select the name of the group under Subgroup. Set Interface/VLAN to ’-’ and leave the other ﬁelds empty.

Chapter 4. Network Conﬁguration

Name

Enter a name for the group of computers. You can use this name when you change conﬁguration on the pages mentioned above. A group can consist of several rows of IP addresses or series of IP addresses. By clicking on the plus sign beside the name, you add more rows where you can specify more IP addresses for this group.

Subgroup

An already deﬁned group can be used as a subgroup to new groups. Select the old group here and leave the ﬁelds for DNS name empty. Select ’-’ as Interface. If you don’t want to use a subgroup, select ’-’ here.

Lower Limit

DNS Name Or IP Address

Enter the DNS name or IP address of the network or computer. For computers in an IP range that you want to give a network name, enter the ﬁrst IP address in the range. DNS Name Or IP Address must not be empty if you are not using a subgroup.

IP address

The IP address of the object you entered in the DNS Name Or IP Address ﬁeld is displayed here. This ﬁeld is not updated until you click on Look up all IP addresses again or make changes in the DNS Name Or IP Address ﬁeld.

Chapter 4. Network Conﬁguration

Upper Limit

DNS Name Or IP Address

Here, enter the last DNS name/IP address of the network or group. For computers in an IP range that you want to give a network name, enter the last IP address in the seriesrange. The IP address in Upper Limit must be at least as high as the one in Lower Limit. If this ﬁeld is left empty, only the IP address in Lower Limit is used. If you use a subgroup, leave this ﬁeld empty.

IP address

Interface/VLAN

Here, you can select an interface or a VLAN to restrict the IP range.

If ’-’ is chosen, the group will consist of all IP addresses in the interval between Lower Limit and Upper Limit, regardless of what interface they are connected to. By selecting an interface or a VLAN, you constrain the group to consist only of the IP addresses in the interval that really are connected to the selected interface/VLAN.

For example, if 10.20.0.0 - 10.20.0.255 are IP addresses behind the interface DMZ-1 and the lower and upper limits are 10.10.10.20 and 255.255.255.255 respectively, choosing DMZ-1 as Interface will cause the group to consist of the IP addresses 10.20.0.0 - 10.20.0.255, being the IP addresses in the interval actually connected to the selected interface.

If you have selected a subgroup, the Interface/VLAN should be ’-’. If you want to deﬁne a network group at the remote side of a VPN connection, the Interface/VLAN should be ’-’.

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new groups and rows you want to add to the table, and then click on Create.

Save

Saves the Networks and Computers conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and reset changes in old rows.

Chapter 4. Network Conﬁguration

Surroundings

State the topology around the Telecommuting Module on this page. Which type of topology is needed depends on which Telecommuting Module Type was selected.

Surroundings

Settings in the Surroundings table are only required when the Telecommuting Module has been made the DMZ (or LAN) type.

The Telecommuting Module must know what the networks around it looks like. On this page, you list all networks which the Telecommuting Module should serve and which are not reached through the default gateway of the ﬁrewall.

All computers that can reach each other without having to go through the ﬁrewall connected to the Telecommuting Module should be grouped in one network. When you are ﬁnished, there should be one line for each of your ﬁrewall’s network connections (not counting the default gateway).

One effect of this is that trafﬁc between two users on different networks, or between one of the listed networks and a network not listed here, is NAT:ed.

Another effect is that for connections between two users on the same network, or on networks where neither is listed in Surroundings, no ports for RTP sessions will be opened, since the Telecommuting Module assumes that they are both on the same side of the ﬁrewall.

For DMZ and LAN SIParators, at least one network should be listed here. If no networks are listed, the Telecommuting Module will not perform NAT for any trafﬁc.

Network

Select a network. The alternatives are the networks you deﬁned on the Networks and Computers page.

Additional Negotiators

Sometimes you have SIP devices on a different network that needs to negotiate for this network. This happens when there is a SIP server on one network, and SIP-unaware phones on another. In this case, select the phone network under Network, and the SIP server as an Additional Negotiator. Select from the networks deﬁned on the Networks and Computers page.

Chapter 4. Network Conﬁguration

Delete Row

If you select this box, the row is deleted when you click on Create new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Data Interfaces

Settings in the Data Interfaces table are only required when the Telecommuting Module has been made the WAN type.

Between the Data Interfaces listed here, the Telecommuting Module will act as a plain router, and only forward trafﬁc, with the exception that QoS will be performed if conﬁgured for the trafﬁc in question.

The trafﬁc sent between Data Interfaces will not be logged by the Telecommuting Module.

The Telecommuting Module will only send SIP trafﬁc between the other interfaces.

Interface

Select a data interface here.

Delete Row

If you select this box, the row is deleted when you click on Create new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves all Surroundings conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Chapter 4. Network Conﬁguration

Basic Conﬁguration

On the Basic Conﬁguration page, general settings for the Telecommuting Module are made. The most important one for getting started is the DNS server.

General

Name of this Telecommuting Module

Here, you can give your 3Com VCX IP Telecommuting Module a name. The name of the Telecommuting Module is displayed in the title bar of your web browser. This can be a good idea if you administer several Telecommuting Modules. The name is also used if you use SNMP and when you export log ﬁles into the WELF format.

Default domain

Here, you can enter a default domain for all settings. If a default domain is entered, the Telecommuting Module will automatically assume that an incomplete computer name should be completed with the default. If, for example, Default domain contains company.com, you could as the name of the computer axel.company.com use only axel. If no default domain should be used, the Default domain ﬁeld should contain a single dot (.).

IP Policy

Here, you specify what will happen to IP packets which are neither SIP packets, SIP session media streams, or Telecommuting Module administration trafﬁc. Discard IP packets means that the Telecommuting Module ignores the IP packets without replying that the packet did not arrive. Reject IP packets makes the Telecommuting Module reply with an ICMP packet telling that the packet did not arrive.

Policy For Ping To Your 3Com VCX IP Telecommuting Module

Here, you specify how the Telecommuting Module should reply to ping packets to its IP addresses. You can choose between Never reply to ping, Only reply to ping from the

same interface and Reply to ping to all IP addresses. Only reply to ping from the same interface means that the ping request should originate from a network which is directly-

connected to the pinged interface of the Telecommuting Module or from a network to which there exists a static route from the pinged interface, or the request will be ignored.

Chapter 4. Network Conﬁguration

Ping is a way of ﬁnding out whether a computer is working. See appendix C of the User

Manual for further information on ping.

DNS Servers

Here, you conﬁgure DNS servers for the Telecommuting Module. The servers are used in the order they appear in this table, which means that the Telecommuting Module uses the top server to resolve DNS records until it doesn’t reply. Only then is server number two contacted.

No.

The DNS servers are used in the order they are presented in the table. To move a server to a certain row, enter the number on the row to which you want to move it. You need only renumber servers that you want to move; other servers are renumbered automatically. When you click on Save, the DNS servers are re-sorted.

Dynamic

If an interface will receive its IP address from a DHCP server, the Telecommuting Module can also get information about its DNS server from that server. In this case, select the corresponding IP address here and leave the other ﬁelds empty.

DNS Name Or IP Address

The DNS name/IP address of the DNS server which the Telecommuting Module should use. Note that to use DNS names here, there must exist a DNS server in the Telecommuting Module’s permanent conﬁguration.

IP address

Shows the IP address of the DNS Name Or IP Address you entered in the previous ﬁeld.

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Chapter 4. Network Conﬁguration

Save

Saves the Basic Conﬁguration conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all the above ﬁelds to their previous conﬁguration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered above.

Chapter 4. Network Conﬁguration

Chapter 5. SIP Conﬁguration

SIP (Session Initiation Protocol) is a protocol for creating and terminating various media stream sessions over an IP network. It is for example used for Internet telephone calls and distribution of video streams.

SIP takes care of the initiation, modiﬁcation and termination of a session with one or more participants. The protocol makes it possible for the participants to agree on what media types they should share. You can ﬁnd more information about SIP in appendix A of the User Manual and in RFC 3261.

Basic SIP conﬁguration is made on the Basic Settings, Local Registrar, and possibly also Sessions and Media pages. If you want to use an external SIP proxy, you must state this on the Routing page.

Basic Settings

Here, you make basic settings for the Telecommuting Module SIP management.

SIP Module

Here, select whether the SIP module should be enabled or disabled. If you select to Disable SIP module, no other SIP settings will have any effect.

Additional SIP Signaling Ports

Normally, the Telecommuting Module listens for SIP signaling on ports 5060 (UDP and TCP) and 5061 (TLS). You can make it listen for SIP signaling on additional ports. When ports are added here, they are reserved for SIP signaling on all the Telecommuting Module IP addresses.

Port

Enter an additional port on which the Telecommuting Module should listen for SIP signaling. The Telecommuting Module will then receive SIP signaling on this port for all its IP addresses.

SIP signaling over TLS cannot be received on a Telecommuting Module port which is used for something else, like conﬁguration of the Telecommuting Module.

Chapter 5. SIP Conﬁguration

Transport

Select which SIP signaling transports should be allowed on this port.

Comment

Enter a comment to remind yourself why you added the port.

Delete Row

If you select this box, the row is deleted when you click on Create new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Provisioning Relay

Remote phones usually need to access your PBX for provisioning. For many phones, the provisioning server is the same as their registrar, which means that it is the IP address of the Telecommuting Module. To enable provisioning, the Telecommuting Module can open ports for this trafﬁc.

Select if the Telecommuting Module should open ports for provisioning trafﬁc, or if the phones get their settings in another way.

SIP Media Port Range

State a port interval which the Telecommuting Module should use for SIP media streams. You can use any high ports except 4500 (reserved for NAT-T) and 65097-65200 (reserved for RADIUS).

Note! A change in the port interval will make the SIP module restart when the conﬁguration change is applied.

When the SIP module is restarted, all active SIP sessions (SIP calls, video conferences etc) will be torn down and all SIP user registrations will be removed.

Enter the lower and upper limit of the port range that the Telecommuting Module should use for media streams. The upper limit must be at least as high as the lower limit.

Chapter 5. SIP Conﬁguration

Public IP address for NATed Telecommuting Module

Sometimes, the Telecommuting Module is located behind a NAT box that is not SIP-aware. This will make signaling go awry, with the result that in many cases there will be voice in only one direction.

This can be corrected by entering the public IP address that the Telecommuting Module will appear to have. When sending SIP signaling towards its default gateway, the Telecommuting Module will use that IP address instead of its private one, which will get media to the right place.

Note that the NATing device must also be conﬁgured to forward SIP signaling on that IP address to the Telecommuting Module.

If nothing is entered here, the Telecommuting Module will use its own IP addresses.

This setting is not supported for the Standalone conﬁguration.

SIP Servers To Monitor

Your Telecommuting Module can be made to monitor SIP servers, to check that they are alive. The information is used by the Telecommuting Module when SIP signaling should be passed on to the server in question. This is useful when a domain resolves to several individual hosts; the Telecommuting Module will know immediately if one of them is down, which will speed up the call connection.

The SIP server must respond with a SIP packet to OPTIONS packets to be monitored in this way.

Server

Enter the host name, domain name, or IP address of the server to be monitored.

Port

Enter the port to be monitored on that host. This should be the port to use for SIP signaling.

Chapter 5. SIP Conﬁguration

Transport

Select the transport to be monitored on that host. This should be the transport to use for SIP signaling.

Delete Row

If you select this box, the row is deleted when you click on Create new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

SIP Logging

The same settings can also be found on the Logging Conﬁguration page under Logging.

Log class for SIP signaling

For each SIP packet, the Telecommuting Module generates a message, containing the sender and receiver of the packet and what type of packet it is. Select a log class for these log messages.

Log class for SIP packets

The Telecommuting Module logs all SIP packets (one SIP packet is many lines). Select a log class for the SIP packets.

Log class for SIP license messages

The Telecommuting Module logs license messages. Select a log class for these messages.

Chapter 5. SIP Conﬁguration

Log class for SIP errors

The Telecommuting Module sends a message if there are any SIP errors. Select a log class for these log messages.

Log class for SIP media messages

The Telecommuting Module creates log messages about when media streams are set up and torn down. Select a log class for these messages.

Log class for SIP debug messages

The Telecommuting Module logs a lot of status messages, for example the SIP initiation phase of a reboot. Select a log class for these messages.

Save

Saves the Basic Settings conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Routing

DNS Override For SIP Requests

Here, you can register SIP domains to which the Telecommuting Module should be able to forward requests, but which for some reason cannot be resolved in DNS. Enter an IP address and port to which the requests should be forwarded. You can also select to use a speciﬁc protocol.

The Telecommuting Module uses the Request-URI of the incoming SIP packet to match for the domains in this table. When it matches a domain, the packet will be forwarded to the IP address entered here. Note that the Request-URI will not be rewritten!

You can also enter subdomains to Local SIP Domains, if you want the subdomain to be handled by a separate SIP proxy. This table has a higher priority than Local SIP Domains, which means that if you register a subdomain to a domain registered under Local SIP Do- mains, the Telecommuting Module will forward SIP requests to the subdomain instead of processing them itself.

You can enter more than one IP address or host name for a domain, and set weights and priorities for these.

Chapter 5. SIP Conﬁguration

Domain

Enter the domain name of the SIP domain. This domain is compared to the domain in the Request-URI of the incoming SIP packet.

You can’t enter a domain that was entered in the Local SIP Domains table.

Relay To

DNS Name Or IP Address

Enter the IP address for the SIP server handling the domain. You can also enter a DNS name for the SIP server, if it has a DNS-resolvable host name, even if the SIP domain is not possible to look up in DNS.

IP address

Shows the IP address of the DNS Name Or IP Address you entered in the previous ﬁeld.

Port

Here, enter the port on which the SIP server listens for SIP trafﬁc. The standard port is 5060 (5061 for TLS).

Transport

You can select which transport protocol to use between the Telecommuting Module and the SIP server. Under Transport, select from UDP, TCP and TLS.

Priority

If you entered more than one IP address/host name for the same domain, you should also assign them Priority and Weight. A low Priority value means that the unit should have a high priority.

Weight

If more than one unit has the same Priority, the signaling sent to them is distributed between them according to their Weight. If two units have the same priority, and Unit 1 has weight 4, and Unit 2 has weight 9, 4/13 of the signaling will be sent to Unit 1, and 9/13 will be sent to Unit 2.

Chapter 5. SIP Conﬁguration

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new groups and rows you want to add to the table, and then click on Create.

Filtering

On the Filtering page you select the MIME types you want to let through, if the Telecommuting Module should forward any other SIP trafﬁc than just IP telephony or instant messages.

On that page, you can also select ﬁltering of SIP signaling based on several conditions.

Sender IP Filter Rules

Here, you set all the rules for SIP requests from different networks. Requests that do not match any rule are handled according to the Default Policy For SIP Requests.

No.

The No. ﬁeld determines the order of the rules. Rules are used in the order in which they are displayed in the table; rule number 1 is ﬁrst. The order is important if you used networks which partly contain the same IP addresses. To change order for a rule, enter the new number in the ﬁeld and press Save.

From Network

The network name that the SIP request originates from. You can select between the networks deﬁned on the Networks and Computers page under Network Conﬁguration.

Action

Under Action, you select what to do with a SIP request from the selected network. The choices are Process all, which handles all requests regardless of destination, Local only, which only handles requests to Local SIP Domains (entered on the Local Registrar page), and Reject all, which doesn’t handle any requests at all.

Chapter 5. SIP Conﬁguration

Delete Row

If you select this box, the row is deleted when you click on Create new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Default Policy For SIP Requests

Select what to do with SIP requests that do not match any of the Proxy Rules. The choices are Process all, which handles all requests regardless of destination, Local only, which only handles requests to Local SIP Domains (entered on the Local Registrar page), and Reject all, which doesn’t handle any requests at all.

Content Types

The SIP packets present information in different ways, using content types (MIME types). Enter here which types the SIP proxy should accept. The most common MIME types are predeﬁned and you only have to activate them.

The content types application/sdp (used for SIP requests), application/xpidf+xml (used for Presence) and text/x-msmsgsinvite (used by Messenger) are always accepted - you don’t have to enter them into the table. You can ﬁnd a complete list of MIME types at ftp://ftp.isi.edu/innotes/iana/assignments/media-types/media-types/.

Content Type

Enter the content type (only one in each row). The format is category/type, e.g. text/plain. You can also allow all content types by entering*/*in a row and allow it.

Chapter 5. SIP Conﬁguration

Allow

Select if the Telecommuting Module should allow (On) or reject (Off) this content type in SIP signaling.

Delete Row

If you select this box, the row is deleted when you click on Create new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Interoperability

URI Encoding

When registering a SIP client on one side of the Telecommuting Module to a SIP server on the other side, the Contact header is normally encrypted and rewritten. By doing this, we make it possible for the SIP server to track when the same user is sending requests from different places. It is possible to turn encryption and rewriting off, and to shorten the encrypted URI in Contact headers passing through the Telecommuting Module.

Select what to do with Contact headers.

Always encrypt URIs will make the Telecommuting Module encrypt the entire Contact header URI.

Use shorter, encrypted URIs will make the Telecommuting Module generate a random string for the incoming Contact URI. This will then be used as the username part of the outgoing Contact header URI.

When you select this, the Telecommuting Module makes no checks of incoming SIP URIs. It becomes possible in theory to trick the Telecommuting Module to send SIP packets anywhere, so security is drastically reduced.

Escape URIs will make the Telecommuting Module escape the entire original URI and use that as the username part of the outgoing Contact.

The encryption of a Contact URI is changed when the Call-ID changes, when the client gets a new IP address, or when the user changes its Contact URI.

Chapter 5. SIP Conﬁguration

Keep username in URIs will make the Telecommuting Module keep the original username pare of the Contact URI, and only replace the domain part.

When you select this, it will be impossible for the remote SIP server to tell if requests for a certain user belong to one or several clients, as it has no means of telling the client registrations for a user apart. This means that if a user registers from two clients, and then unregisters from one of them, the SIP server will remove its only registration record for that user.

The Telecommuting Module also makes no checks of incoming SIP URIs. It becomes possible in theory to trick the Telecommuting Module to send SIP packets anywhere, so security is drastically reduced.

Remote SIP Connectivity

Remote NAT Traversal

If your SIP client is not STUN-capable, you can use the built-in Remote NAT traversal feature of the Telecommuting Module. The client must register on the Telecommuting Module (or through it).

The SIP client needs to re-REGISTER, or respond to OPTIONS packets, rather often for this to work. The exact period for this depends on the NAT-ing device, but 20 seconds should be enough to get across most NAT boxes.

Remote NAT traversal

Switch this function on or off.

Remote Clients Signaling Forwarding

Many SIP servers need to separate signaling to and from remote clients from signaling to and from the SIP Trunk. For this purpose, you can specify which IP address and port the remote clients will connect to. This can’t be the same IP address and port as what the SIP provider uses!

Chapter 5. SIP Conﬁguration

You also specify which IP address the Telecommuting Module will use when it forwards this SIP signaling to the server on the LAN. In this way, the trunk signaling and remote client signaling will be separated for the PBX.

IP Address for Remote Clients

Select which IP address remote clients connect to. This can be the same IP address as is used by the SIP provider, but then you need to select a different signaling port below.

IP Port for Remote Clients

Enter the signaling port to which remote SIP clients should connect. The Telecommuting Module will listen for SIP signaling on this port only for the IP address selected above.

If you select an alias IP address as the address to where remote clients should connect, you can’t enter a port, but must use port 5060 (5061 for TLS connections). If you select an IP address that was entered in the Directly Connected Networks table, you must specify a port.

You cannot select a port that is already in use for something else, or speciﬁed in the Addi- tional SIP Signaling Ports table.

Forward Signaling from IP Address

Select which IP address the Telecommuting Module should use as the sender IP address when forwarding signaling from remote clients.

As all other SIP signaling will be forwarded using the IP address entered in the Directly Connected Networks, you must select an Alias IP address here.

NAT keepalive method

Clients using this function will have to send SIP packets very often, to keep the IP/port NAT binding. Select which method to use to force the clients to send packets frequently.

OPTIONS are sent from the Telecommuting Module to the client, and the client is required to respond to these OPTIONS packets to keep the NAT binding.

With short registration times, the Telecommuting Module tells the client to register with shorter intervals than it normally should have used, to keep the NAT binding. This will load the SIP registrar as well (if the Telecommuting Module is not the registrar), but is a method supported by all SIP clients.

NAT timeout for UDP

Enter the timeout the NAT box uses for UDP connections. The Telecommuting Module uses this information when deciding the intervals with which to send OPTIONS or tell the client to re-register.

NAT timeout for TCP

Enter the timeout the NAT box uses for TCP connections. The Telecommuting Module uses this information when deciding the intervals with which to send OPTIONS or tell the client to re-register.

Chapter 5. SIP Conﬁguration

Media Route

Usually, media is always sent via the Telecommuting Module when the Remote NAT Traversal feature is used. For clients behind the same NAT, media can be made to go directly between the clients, to lower the Telecommuting Module and network load.

Chapter 6. Administration of the Telecommuting Module

You also need to conﬁgure who can access the Telecommuting Module web interface. This is done on the Access Control page under Basic Conﬁguration.

Remember that the conﬁguration you see in the web interface (preliminary conﬁguration) isn’t necessarily the work conﬁguration (permanent conﬁguration) of the Telecommuting Module. When all conﬁguration is made in the web interface, it must be applied. This is done on the Save/Load Conﬁguration page under Administration.

Access Control

On the Access Control page, settings are made which controls the access to the Telecommuting Module administration interfaces. The Telecommuting Module can be conﬁgured via the web (http and https) and via ssh or the serial cable (using the CLI, see chapter 18 of the Reference Guide).

Select one or more conﬁguration IP addresses for the Telecommuting Module. The conﬁguration address is the IP address to which you direct your web browser to access the web interface of the Telecommuting Module, or connect your ssh client to.

For each network interface, you also specify whether or not the Telecommuting Module can be conﬁgured via this network interface.

You also select what kind of authentication will be performed for the users trying to access the administration interfaces.

To further increase security, the Telecommuting Module can only be conﬁgured from one or a few computers that are accessed from one of these interfaces. Enter the IP address or addresses that can conﬁgure the Telecommuting Module. The IP addresses can belong to one or more computers. For each IP address or interval of addresses, select which conﬁguration protocols are allowed.

Conﬁguration Allowed Via Interface

This setting speciﬁes whether conﬁguration trafﬁc is allowed via this interface. If you only allow conﬁguration via eth1, conﬁguration trafﬁc will only be allowed from computers connected to the eth1 interface, regardless of which IP address the conﬁguration trafﬁc is directed to or which IP addresses the computers have.

The choices for each interface are On and Off. This conﬁguration is a complement to the Conﬁguration Computers setting below.

Chapter 6. Administration of the Telecommuting Module

User Authentication For Web Interface Access

Select the mode of administrator authentication for logins via the web interface: Local users, via a RADIUS database, or a choice between the two alternatives at login (Local users or RADIUS database).

Local administrator users and their passwords are deﬁned on the User Administration page under Administration. If the authentication should be made by help of a RADIUS server, you must enter one on the RADIUS page.

When connecting to the administration interface via SSH, you can only log in as admin.

Conﬁguration Transport

Select Telecommuting Module IP addresses for the allowed conﬁguration protocols. The Telecommuting Module web server will listen for web trafﬁc on the IP addresses and ports selected under HTTP and HTTPS.

This is the IP address and port which should be entered in your web browser to connect to the Telecommuting Module.

For conﬁguration via ssh, you need an ssh client to log on to the Telecommuting Module.

Chapter 6. Administration of the Telecommuting Module

Conﬁguration via HTTP

Select which IP address and port the Telecommuting Module administrator should direct her web browser to when HTTP is used for Telecommuting Module conﬁguration. You can select from the Telecommuting Module IP addresses conﬁgured on the Interface pages under Network Conﬁguration.

You can use different IP addresses for HTTP, HTTPS, and SSH conﬁguration.

Conﬁguration via HTTPS

Select which IP address and port the Telecommuting Module administrator should direct her web browser to when HTTPS is used for Telecommuting Module conﬁguration. You can select from the Telecommuting Module IP addresses conﬁgured on the Interface pages under Network Conﬁguration.

You can use different IP addresses for HTTP, HTTPS, and SSH conﬁguration.

You also need to select an X.509 certiﬁcate, which works as an ID card, identifying the Telecommuting Module to your web browser. This will ensure that you are really communicating with your Telecommuting Module and not somebody else’s computer. HTTPS uses an encryption method using two keys, one secret and one public. The secret key is kept in the Telecommuting Module and the public key is used in the certiﬁcate. If any of the keys is changed, the HTTPS connection won’t work.

All local certiﬁcates for the Telecommuting Module are created on the Certiﬁcates page under Basic Conﬁguration.

Conﬁguration via SSH

Select which IP address and port the Telecommuting Module administrator should direct her ssh client to when SSH is used for Telecommuting Module conﬁguration. You can select from the Telecommuting Module IP addresses conﬁgured on the Interface pages under Network Conﬁguration.

For SSH conﬁguration, the Command Language Interface is used. See also chapter 18 of the Reference Guide.

You can use different IP addresses for HTTP, HTTPS, and SSH conﬁguration.

Conﬁguration Computers

Enter the IP address or addresses that can conﬁgure the Telecommuting Module. The IP addresses can belong to one or more computers.

Note that you must also allow conﬁguration via the Telecommuting Module interface that the computers are connected to. See Conﬁguration Allowed Via Interface above.

Chapter 6. Administration of the Telecommuting Module

No.

The No. ﬁeld determines the order of the lines. The order is important in deciding what is logged and warned for. The Telecommuting Module uses the ﬁrst line that matches the conﬁguration trafﬁc.

Perhaps you want to conﬁgure the Telecommuting Module so that conﬁguration trafﬁc from one speciﬁc computer is simply logged while trafﬁc from the rest of that computer’s network is both logged and generates alarms.

The rules are used in the order in which they are listed, so if the network is listed ﬁrst, all conﬁguration trafﬁc from that network is both logged and generates alarms, including the trafﬁc from that individual computer. But if the individual computer is listed on a separate line before the network, that line will be considered ﬁrst and all conﬁguration trafﬁc from that computer is only logged while the trafﬁc from the rest of the computer’s network is both logged and generates alarms.

DNS Name Or Network Address

Enter the DNS name or IP address of the computer or network from which the Telecommuting Module can be conﬁgured. Avoid allowing conﬁguration from a network or computer on the Internet or other insecure networks, or use HTTPS or IPsec to connect to the Telecommuting Module from these insecure networks.

Network address

Shows the network address of the DNS Name Or Network Address you entered in the previous ﬁeld.

Netmask/Bits

Netmask/Bits is the mask that will be used to specify the conﬁguration computers. See chapter 3 of the User Manual for instructions on writing the netmask. To limit access so that only one computer can conﬁgure, use the netmask 255.255.255.255. You can also specify the netmask as a number of bits, which in this case would be 32. To allow conﬁguration from an entire network, you must enter the network address under Network address, and a netmask with a lower number here. To allow conﬁguration from several computers or networks, create several lines for the information.

Range

The Range shows all IP addresses from which the Telecommuting Module can be conﬁgured. The range is calculated from the conﬁguration under DNS Name Or Network Ad-

dress and Netmask/Bits. Check that the correct information was entered in the DNS Name Or Network Address and Netmask/Bits ﬁelds.

Via IPsec Peer

Here, you can select an IPsec Peer from which this connection must be made. If an IPsec peer is selected, you will only be able to conﬁgure the Telecommuting Module from this IP address through an IPsec tunnel.

Chapter 6. Administration of the Telecommuting Module

SSH

Check the check box if this computer/network should be allowed to conﬁgure the Telecommuting Module via SSH.

HTTP

Check the check box if this computer/network should be allowed to conﬁgure the Telecommuting Module via HTTP.

HTTPS

Check the check box if this computer/network should be allowed to conﬁgure the Telecommuting Module via HTTPS.

Log Class

Here, you enter what log class the Telecommuting Module should use to log the conﬁguration trafﬁc to the Telecommuting Module’s web server. Log classes are deﬁned on the Log Classes page under Logging. See also chapter 14 of the User Manual.

No.

Delete Row

If you select this box, the row is deleted when you click on Create new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves the Access Control conﬁguration to the preliminary conﬁguration.

Chapter 6. Administration of the Telecommuting Module

Cancel

Reverts all the above ﬁelds to their previous conﬁguration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

This button will only be visible if a DNS server has been conﬁgured.

Save/Load Conﬁguration

Here, you work with the preliminary and permanent conﬁgurations, save them and load new conﬁgurations from previously saved conﬁgurations.

Test Preliminary Conﬁguration

The settings you make in the web GUI will not be used automatically, but you must apply them ﬁrst. When there are settings which are not yet applied, a warning about this will be shown on the web pages.

When Apply conﬁguration is pressed, the Telecommuting Module will test the conﬁguration before you make it permanent.

During test, the Telecommuting Module waits for you to press one of the three buttons displayed. If you never see the three buttons, something in your preliminary conﬁguration (now tested) is wrong, which makes it impossible for you to access the conﬁguration web interface.

Duration of limited test mode

Here, you enter the time limit for the testing. If you do not press any button within this time, the Telecommuting Module will assume that some part of your preliminary conﬁguration makes connecting impossible. When the timeout is reached, the Telecommuting Module automatically reverts to the old permanent conﬁguration. If this occurs, you will be informed when trying to press a button.

Apply conﬁguration

Saves the preliminary conﬁguration to the permanent conﬁguration and puts it into use. You can test your preliminary conﬁguration before ﬁnalizing it.

Three buttons are displayed during the test:

Chapter 6. Administration of the Telecommuting Module

Save conﬁguration saves your preliminary conﬁguration to the permanent conﬁguration and puts it into use.

Continue testing shows a new page with only the other two buttons.

Revert cancels this test of the preliminary conﬁguration without saving.

If you do not press any button within the time limit, the Telecommuting Module will revert to the old permanent conﬁguration, just as if you had pressed Revert. This is useful if you happen to conﬁgure your Telecommuting Module so it isn’t accessible from your browser.

After the timeout, pressing either of the three buttons will show a new page which will inform you that the test run was aborted.

Restarting the Telecommuting Module by cycling the power also cancels the test.

Show Message About Unapplied Changes

When there are settings which are not yet applied, a warning about this will be shown on the web pages. Select here where this message should be shown. The options are On every page, On the Save/Load Conﬁguration page (this page) and Never.

Backup

All conﬁgurations can be saved to and loaded from diskette or ﬁle. This does not affect the permanent conﬁguration.

Save to diskette

Insert a formatted diskette into the Telecommuting Module’s ﬂoppy drive and press Save to diskette to save the preliminary conﬁguration. Do not remove the diskette until the light on

the ﬂoppy drive goes out.

Check that you get a conﬁrmation of the saving. If not, the diskette may be faulty.

Chapter 6. Administration of the Telecommuting Module

Load from diskette

Insert the diskette with the saved conﬁguration into the Telecommuting Module’s ﬂoppy drive and press Load from diskette. Do not remove the diskette until the light on the ﬂoppy drive goes out. The contents of the diskette are now loaded in the preliminary conﬁguration.

Save to local ﬁle

Press Save to local ﬁle to save the preliminary conﬁguration to the ﬁle you have selected. A new window is opened where you enter the name of the ﬁle.

Load from local ﬁle

Press Load from local ﬁle to load a new preliminary conﬁguration from the ﬁle you have selected.

Browse

Browse is used to scan your local disk. The web browser opens a new window where you can search among ﬁles and directories. Go to the right directory and select the ﬁle you want to upload.

Save/Load CLI Command File

All conﬁgurations can be saved to and loaded from a CLI ﬁle (see chapter 18 of the Reference Guide for more information about the CLI). You can also edit the CLI ﬁle before it is uploaded again.

Uploading a CLI ﬁle might affect the permanent conﬁguration, as the CLI ﬁle can contain commands that applies the conﬁguration.

Save conﬁg to CLI ﬁle

Press Save conﬁg to CLI ﬁle to save the preliminary conﬁguration to the ﬁle you have selected. A new window is opened where you enter the name of the ﬁle.

Load CLI ﬁle

Press Load CLI ﬁle to upload a CLI ﬁle to the Telecommuting Module.

Browse

Browse is used to scan your local disk. The web browser opens a new window where you can search among ﬁles and directories. Go to the right directory and select the ﬁle you want to upload.

Chapter 6. Administration of the Telecommuting Module

Revert to Old Conﬁgurations

You can revert to old conﬁgurations of the Telecommuting Module, either back to the last conﬁguration successfully applied, or to the conﬁguration delivered with your Telecommuting Module from the factory.

Abort All Edits

Abort all edits copies the permanent conﬁguration to the preliminary conﬁguration. All changes made in the preliminary conﬁguration are deleted.

Reload Factory Conﬁguration

The factory conﬁguration is the standard conﬁguration that is delivered with a Telecommuting Module. Click on this button to load this conﬁguration into the preliminary conﬁguration. The permanent conﬁguration is not affected.

Chapter 6. Administration of the Telecommuting Module

Chapter 7. Firewall and Client Conﬁguration

Additional conﬁguration for the ﬁrewall and the SIP clients is required to make the Telecommuting Module work properly. The amount and nature of the conﬁguration depends on which Telecommuting Module Type was selected.

The DMZ type

Using the DMZ type, the network conﬁguration should look like this:

The Firewall

The ﬁrewall to which the Telecommuting Module is connected should have the following conﬁguration:

SIP over UDP

• Let through UDP trafﬁc between the Internet (all high ports) and the Telecommuting

Module (port 5060). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the internal networks (all high ports) and the Telecom-

muting Module (port 5060). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Internet (all high ports) and the Telecommuting

Module (the port interval for media streams which was set on the Basic Settings page). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the internal networks (all high ports) and the Telecom-

muting Module (the port interval for media streams which was set on the Basic Settings page). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Telecommuting Module (all high ports) and the In-

ternet (port 53). You must allow trafﬁc in both directions. This enables the Telecommuting Module to make DNS queries to DNS servers on the Internet. If the DNS server is located on the same network as the Telecommuting Module, you don’t have to do this step.

• NAT between the Telecommuting Module and the Internet must not be used.

• NAT between the Telecommuting Module and the internal networks must not be used.

SIP over TCP/TLS

Chapter 7. Firewall and Client Conﬁguration

• Let through TCP trafﬁc between the Internet (all high ports) and the Telecommuting Mod-

ule (ports 1024-32767). You must allow trafﬁc in both directions.

• Let through TCP trafﬁc between the internal networks (all high ports) and the Telecom-

muting Module (ports 1024-32767). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Internet (all high ports) and the Telecommuting

Module (the port interval for media streams which was set on the Basic Settings page). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the internal networks (all high ports) and the Telecom-

muting Module (the port interval for media streams which was set on the Basic Settings page). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Telecommuting Module (all high ports) and the In-

• NAT between the Telecommuting Module and the Internet must not be used.

• NAT between the Telecommuting Module and the internal networks must not be used.

The SIP clients

SIP clients will use the Telecommuting Module as their outgoing SIP proxy and as their registrar (if they can’t be conﬁgured with the domain only). If you don’t want to use the Telecommuting Module as the registrar, you should point the clients to the SIP registrar you want to use.

Other

The DNS server used must have a record for the SIP domain, which states that the Telecommuting Module handles the domain, or many SIP clients won’t be able to use it (if you don’t use plain IP addresses as domains).

The DMZ/LAN type

Using the DMZ/LAN type, the network conﬁguration should look like this:

Chapter 7. Firewall and Client Conﬁguration

The Firewall

The ﬁrewall to which the Telecommuting Module is connected should have the following conﬁguration:

SIP over UDP

• Let through UDP trafﬁc between the Internet (all high ports) and the Telecommuting

Module (port 5060). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Internet (all high ports) and the Telecommuting

Module (the port interval for media streams which was set on the Basic Settings page). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Telecommuting Module (all high ports) and the In-

• NAT between the Telecommuting Module and the Internet must not be used.

SIP over TCP/TLS

• Let through TCP trafﬁc between the Internet (all high ports) and the Telecommuting Mod-

ule (ports 1024-32767). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Internet (all high ports) and the Telecommuting

Module (the port interval for media streams which was set on the Basic Settings page). You must allow trafﬁc in both directions.

• Let through UDP trafﬁc between the Telecommuting Module (all high ports) and the In-

• NAT between the Telecommuting Module and the Internet must not be used.

SIP clients

The SIP clients on the internal network should have the Telecommuting Module’s IP address on that network as their outgoing SIP proxy and registrar.

Other

The Standalone type

Using the Standalone type, the network conﬁguration should look like this:

Chapter 7. Firewall and Client Conﬁguration

The SIP clients

Other

Index

apply conﬁguration, 52 authentication

of administrator, 48

backup, 53 Basic conﬁguration

SIP, 35

CLI ﬁle

save to, 54 upload, 54

conﬁguration

apply, 52 IP address, 48 permanent, 4 preliminary, 4 use protocol, 48 via HTTPS, 49

conﬁguration computers, 49 conﬁguration interface, 47 Content types, 42 default domain, 31 default gateway, 24 directly connected networks, 20 DMZ type, 17

conﬁguration of DNS server, 58 conﬁguration of ﬁrewall, 57 conﬁguration of SIP clients, 58

DMZ/LAN type, 18

conﬁguration of DNS server, 59 conﬁguration of ﬁrewall, 58 conﬁguration of SIP clients, 59

factory conﬁguration, 54 gateway, 24 HTTPS

for conﬁguration, 49

installing 3Com VCX IP Telecommuting Module, 5 interface, 19 interface name, 20 IP policy, 31 limited test mode, 52 logging

of conﬁguration, 50 SIP, 38

magic ping, 5 MIME types, 42

monitor SIP servers, 37 network interface, 19 network topology, 29 networks and computers, 26 permanent conﬁguration, 4 physical device name, 19 ping policy, 31 port interval for media streams, 36 preliminary conﬁguration, 4 router, 23 save conﬁguration, 53 SIP, 35

content types, 42 signaling ports, 35

SIP basic conﬁguration, 35 SIP domains

static, 39

SIP ﬁltering, 41 SIP servers

monitored, 37

standalone type, 18

conﬁguration of DNS server, 60 conﬁguration of SIP clients, 60

standardnätsluss, 24 static routing, 23 subgroup

networks, 27

surroundings, 29 Telecommuting Module name, 31 Telecommuting Module Type

conﬁguration, 19 DMZ, 17 DMZ/LAN, 18 standalone, 18

test mode, 52 turn off the 3Com VCX IP Telecommuting Module, 13 VPN peer, 50

HP 3Com VCX IP Telecommuting Module Quick Start Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Chapter 1. Introduction

What is a Telecommuting Module?

Chapter 2. Overview of the Installation

About settings in 3Com VCX IP Telecommuting Module

License Conditions

Chapter 3. Installing 3Com VCX IP Telecommuting Module

Installation

Installation with magic ping

Installation with a serial cable

Installation with a diskette

Turning off a Telecommuting Module

Remember to lock up the Telecommuting Module

Telecommuting Module Type

Current Telecommuting Module Type

Change Telecommuting Module Type to

Change type

Interface (Network Interface 1 and 2)

General

Physical device

Status

Interface name

Obtain IP Address Dynamically

Directly Connected Networks

Name

DNS Name Or IP Address

IP address

Netmask/Bits

Network address

Broadcast address

VLAN Id

VLAN Name

Delete Row

Create

Alias

Name

DNS Name Or IP Address

IP address

Delete Row

Create

Static Routing

Routed network

Router

Delete Row

Create

Save

Cancel

Look up all IP addresses again

Default Gateway

Main Default Gateways

Priority

Dynamic

DNS Name Or IP Address

IP address

Interface

Delete Row

Create

Policy For Packets From Unused Gateways

Gateway Reference Hosts

DNS Name Or IP Address

IP address

Delete Row

Create

Save

Cancel

Networks and Computers

Name

Subgroup

Lower Limit

DNS Name Or IP Address

IP address

Upper Limit

DNS Name Or IP Address

IP address

Interface/VLAN

Delete Row