Best way to setup remote worker with IP Phone

Posted on 2010-08-18
Last Modified: 2012-05-10
We currently have a remote worker who uses citrix to access our networks.  We would like to setup an IP Phone at his site but we're not sure how to implement it securely.  We don't have SIP on the extranet so the user would need to VPN into our site.    We have an NEC SV system.

What I am thinking is we can do a IPSec between our site and his home.  His office is downstairs and his router is upstairs.  His home is entirely wireless.  Should we replace his router and setup IPSec to only route the IP Phone traffic?

We have also tried to use SSLVPN with a soft phone.  However, it is not the same experience as with a real phone.

What would be the best way of handling this? Are there better alternatives?
Question by:anthonypham
  • 3
  • 3

Accepted Solution

Allvirtual earned 500 total points
ID: 33466852
You want to think about complete security. Remote workers introduce certain risks into your network. Such as when they access your Intranet and the Internet at the same time there is a risk that malicious traffic gets tunneled into your company network. So I'd setup a secure IPsec tunnel from his home to the company with no Split Tunneling allowed when connected. Off course that assumes you have proxy capabilities inside your network to get him on the Internet if he needs it. So there are several considerations to make here. Either way an IPsec tunnel is the best way as the performance should be good and all he needs is a client on his computer in which case he also should run his softphone application on that computer. That way you don't need to modify any hardware in his or your network. And IPsec has better performance then SSL VPN.
So my recommendation is use IPsec VPN with a soft phone and setup security properly.

Author Comment

ID: 33467224
We currently have a Palo Alto Networks Router.  Do you recommend any IPSEC routers for home office uses?

Expert Comment

ID: 33467299
Why do you want a hardware gateway at the remote site? Does the remote user has several machines or a larger network that needs to be connected remotely? If it's just one computer or even two computers it is easier to just use a VPN client. What do you think? Also client to server VPN is normally easier to setup then side-to-side VPN especially with different vendor gateways.
The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.


Author Comment

ID: 33467483
Thanks for the help so far.  I believe the VPN client is a good solution will work out about 50% of the time.  We have some users who prefer a physical IP phone.  I believe I would need it routed through the IPSec as well.  Tell me what you think.

Expert Comment

ID: 33467724
OK. Those who prefer a physical IP phone give them a headset 8) Seriously. I like to avoid hardware whenever I can - trust me it will keep piece of mind and sanity in IT management. If you must have a small hardware IPsec box we had good success with Linksys (value for your money). If budget is not a major concern I'd go with Juniper off course. One word of caution: ensure compatibility with your VPN gateway at your central site! Juniper will work in most cases.

Author Closing Comment

ID: 33467748
Thanks for the helpful and prompt responses.  They were valuable for us.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 103
Question about Authentication Domain 6 94
Vpn Server 2012 not working Draytek Vigor 2830 2 53
Change name on 7940 Cisco UM 10 22
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question