In Part I I talked about moving my church’s office and network resources to the cloud because they decided to sell their building to build a new site and had dispersed from working in their old office to a temporary office as well as work from their homes.
My church decided to move their phone numbers to Phone.Com to use IP phones and soft phones for their communications after their move from their old office. In this post, I’m going to talk about my struggle to get their IP phones working through Microsoft TMG.
Why Microsoft TMG?
I’ve been asking myself that question a lot lately. At the office I had them setup with a Cisco PIX for their firewall but I chose to move them to TMG since it’s a lot easier for me to manage. In addition I believe it will help me with the Office 365 identity integration with their Active Directory. But right now I’m just trying to get their IP phones working.
The First Experience
I didn’t know how IP phones worked when I started this, since at the church office, they had a phone provider who brought in the lines to a PBX and then to the offices. There was nothing for me to manage.
At the temporary office, everything worked for the IP phones as long as I used the Verizon FIOS router but stopped as soon as I switched over to TMG. Nice. Time for me to go and study how IP phones are supposed to work.
After poking around on the Internet’s resources reading about the SIP and RTP protocols, I discovered a really slick wizard in TMG which allowed me to create rules for VOIP. I went through the wizard and ended up with three new firewall policy rules:
This made sense so I grabbed an IP phone and dialed someone. The call went through (yippee!!!) but I couldn’t hear them and they couldn’t hear me (sigh).
So that would mean the SIP protocol went through fine but the RTP protocol which would handle the voice didn’t go through.
What The TMG Log Showed
I started a log query on TMG restricted to just the IP phone’s IP address and made another prank call. This is what the log showed me:
There are two things I see wrong here. The first and obvious is that the connection was denied. The second is that the protocol name is ‘Phones 6060’ which was an old protocol I had defined earlier when I was working through my ignorance of how IP phones worked but have since deleted.
I see that the destination port is an even port number. According to the RTP protocol, the data is sent over an even port number and the corresponding data would be carried over the next higher port number which would be an odd number. So this log is telling me that the phone was trying to perform RTP communications over the even port number 32746 but the attempt was denied and that would be why I don’t see communications over port 32747 which would be data coming back.
But why is the protocol ‘Phones 6060’ showing up in the logs? I know I deleted it and have even rebooted the TMG server since then so there’s no reason for it to show up in the logs. The fact that this deleted protocol is showing up and the fact that TMG is not allowing the IP phones out even after I created the proper firewall rules makes me less confident that what I see in the TMG UI is not actually what TMG is doing under the covers. Thanks Microsoft.
Well, it’s a rainy and stormy day today so this is as good a day as any to work through this…