Avaya IP Office - Can remote phones connect to the IP Office WAN port?


In an Avaya IP Office phone system / PBX which has a LAN and a WAN port, can this system be configured in such a way that the WAN interface is directly on the edge network (outside of the firewall) to allow for remote phones to connect to the system?

Any time that I've seen these systems configured, the phone was connecting through a Cisco ASA firewall using a VPN connection built into the Avaya handset.  The Avaya IP Office was behind the firewall on a voice segment and routing OUT through the data segment or through a separate interface on the firewall to the Voice segment.  The handset was then configured with its own set of PHASE 1 / PHASE 2 settings for VPN config.

Is this necessary?  It's usually a complicated deployment if we do not ship the phone PRE-CONFIGURED...walking someone through a WAN IP would be easier.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony GiangrecoCommented:
You can open the appropriate ports on the firewall and allow the users access to the IP Office system in that manner without moving the phone system directly to a public IP address. this retains the protection you currently receive by the firewall and blocks hackers from directly accessing your phone system.

Hope this helps!
jkeegan123Author Commented:
No I'm talking about being able to have a phone at the remote home office and have it register with the office system.  CURRENTLY in order to do this, according to tech articles from AVAYA, we need:

- Cisco ASA firewall
- IP Office behind the firewall
- IPSec VPN configured on the Cisco ASA
- Handset configured with built in VPN details (special model phone to do this with VPN client built in) including phase 1, phase 2 and pre shared key
- Phone handset VPN's with Cisco ASA and is passed through firewall to Avaya IP Office.

Why do we jump through these hoops if there is a WAN and a LAN port?  In the referenced configuration that I just mentioned, this is with the LAN port only, NOTHING EVER plugged into the WAN port.  

if it HAS A WAN PORT, I'm asking if anyone has ever configured this PBX to be used where a remote phone can be connected without needing to jump through so many hoops.  Granted, there is a different level of security between the 2 systems, but there are small businesses that are willing to compromise that to save a buck , and then there are configurations that are EXTREMELY SECURE but not realistic to deploy.
Tony GiangrecoCommented:
The WAN port is your Internet connection coming into your firewall and leading into your network out the Lan port.  We all have a Wan port but that's your public IP and moving your Ip Office system directly to the Wan port opens that system up to hacking activity which is not a good practice.

The steps you outlined above from Avaya are the proper steps required to connect a remote office directly to your IP Office.  I assume you are using a PRI card or PRI configuration at your main office for your phone lines. if so, you should be able to pull that remote office phone line into the Pri which may provide some additional flexibility in tying that remote office into your Ip Office system. You should contact your Phone Line provider and your Avaya IP tech to determine your current configuration and what all the possibilities are.

Nothing is extremely secure but you don;t want to open your company up to less secure situations. I would with network and data security all day. I see situations that non-technical users get their companies into.  A technical rep should always be part of these discussions to help keep your company in a comfortably secure zone.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jkeegan123Author Commented:
Best practices aside, the question still exists:  Can this be done?  Whether it is a best practice or not, the 2 ports exist and other systems CAN and DO do this.  Does anyone know?
jkeegan123Author Commented:
It turns out that this CAN be done on the WAN interface, the services and interface just need to be setup correctly to do so.  ADMIN services (HTTP/manager access) can be enabled on this interface as well, although that is definitely NOT recommended as this could (and would) lead to REMOTE ACCESS attempts.  

We have set this up now both WITH and WITHOUT a firewall device in front of the WAN port.  It CAN be setup to be on the public network without a firewall if desired, although as other posters mention in this thread, and as I recommend myself, doing this without a firewall can lead to system compromise and remote hijacking of the IP office system.  

We HAVE implemented this based on customer requirement WITHOUT a network firewall in front of the IP office and we limited the remote admin access to not be allowed on this interface.  When we had SIP AUTH attempts on the SIP port (which needs to stay accessible by ALL in order to use SIP service from multiple carriers), we put a specialized SIP firewall on the line made by PIKA TECHNOLOGIES called the PIKA UFIREWALL (http://www.pikatechnologies.com/english/View.asp?x=1294).  This device blocked access from IP addresses that performed 5 failed SIP AUTH attempts, and it's very useful in this regard, kindof like a F2B access-list inline.  The device is about $300 and performs great.

So the answer to this is:  YES, services CAN be configured on the WAN port of the IP OFFICE without a firewall in front of it, however doing so can be extremely risky and all precautions should be taken to limit services on that interface since the IP OFFICE does not have any built in firewall functionality.  The BEST WAY to setup is behind a firewall, but if it MUST be done without a firewall in front of it, it CAN BE DONE.  It is definitely not recommended, but the question was IF, not SHOULD.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jkeegan123Author Commented:
The question was whether or not this could be done, not IF it should be done.  We researched this in the lab and found that it indeed could be done.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Voice Over IP

From novice to tech pro — start learning today.