Allowing incoming calls to Polycom VC

Hi,

 

Does anyone have any guidance around allowing incoming calls to a polycom VC?

We have an XG210 and 310, multiple WAN addresses (so can assign a separate Public address to VC)

I have created an SNAT rule as per (https://community.sophos.com/kb/en-us/123295) which should allow the VC to make outgoing calls.

 

Creating a DNAT rule seems a bit harder though due to the polycom requiring multiple ports.

I was thinking about creating 2 DNAT rules (one to list required TCP ports, and one for required UDP ports) but wanted to get someone else's view on this...

there doesn't appear to be much on this topic in the forums.

 

Thanks,

Matt

  • Hi,

    you only need one rule otherwise the traffic will be dropped before getting to the second rule.

    You can create a port group to use in the rule or you can add individual ports to your rule, this also make debugging easier as all traffic is referenced against the one rule.

    I can't provide the specifics because my XG is off until v17b is released.

  • In reply to rfcat_vk:

    I did create the services and service groups with all of the correct ports, but I couldn't see anywhere to include them into the DNAT rule.

    Using this as a reference.

  • HI Matthew, 

    I would recommend you to configure Proxy Arp for your Polycom server. This will use the WAN address dedicated to the Polycom Server . 

    Kindly refer the KB article http://sophos.com/kb/123525 for more information . 

  • In reply to Aditya Patel:

    Hi Aditya,

    Thanks for the suggestion, So to be clear, we would put the Polycom units into the DMZ, but with the dedicated public IP, setup proxy arp so we can talk to them, then configure the WAN to DMZ network rule with the appropriate service group?

    Thanks,

    Matt

  • In reply to Matthew Trigg:

    HI Matthew, 

    Yes , the proxy arp would allow you to configure Public address onto your Polycom server. Plus you could regulate the service allowed via WAN to DMZ rule and same for DMZ to WAN .

  • In reply to Aditya Patel:

    Hi Aditya,

     

    Our WAN is a /30 point to point connection with a separate public subnet routed to it that we use to publish services.

    How would you suggest we work this into the Proxy ARP solution, if that is still the right way to go?

    We cannot put the Routers IP address as the gateway for the endpoints, because it is a different subnet. (If following the example in the Article you provided).

     

    Thanks,

    Matt

  • In reply to Matthew Trigg:

    Hi Matt, 

    I believe the additional public address provided to you by your ISP could be configured on your server and I would assume the gateway would be the same as ISP gateway .

  • In reply to Aditya Patel:

    Hi Aditya,

     

    FYI - the point to point connection is actually a /31, not 30. 

     

    So lets say the Router has an IP Address of 1.1.1.1 and the interface on the XG WAN Port is 1.1.1.2

    The additional public subnet we have is something like 2.2.2.0/24 which is routed to our Point to Point address by the ISP.

    I am able to configure 2.2.2.x Addresses as aliases on the WAN port, and publish things that way with NAT, however,

    If I put the IP address 2.2.2.1 directly onto the endpoint (Polycom)...then I don't think we can use 1.1.1.1 as the gateway due to it being in a different subnet.

     

    In the Sophos provided Example, it shows 1.1.1.1 as the gateway... but the endpoints are also in the 1.1.1.x subnet which makes sense.

    In our case it does not :(.

     

    Any suggestions?

     

    Thanks,

    Matt

  • In reply to Matthew Trigg:

    Hi Matt,

    I don't know if Polycom would allow such configuration, but we could do the IP configuration of different subnets on Windows and MacOS. If you are able to configure it then you are good to go with Proxy Arp otherwise DNAT would be ideal for you.

  • In reply to Aditya Patel:

    Hi Aditya,

     

    I will be implementing our new XG210 this weekend... I think I will just do DNAT for the time being, restrict the source and allow all ports.

    Not ideal but I think that's the only way this is going to work in the short term unless we put an intermediate router in (With the secondary public subnet).

     

    Thanks for your assistance with this.

    Matt