When deploying FortiFone Softclient on your FortiVoice system there are numerous steps to take to ensure everything works correctly, while maintaining a secure network.
This recipe covers the best practices for a FortiVoice behind a FortiGate firewall running FortiOS 6.0 or higher.
FortiVoice Enterprise Configuration
- On the Dashboard, under License Information, load the Softclient license file to allow activation and registration of Softclients on the system.
- Go to Network > Phone Systems > Advanced Settings and on the SIP page, enter the following:
– The external IP or FQDN in the Network
– Configure the External SIP TCP port, and External SIP UDP port.
– Configure the External HTTPS port.
- Under Advanced Settings, ensure that SIP session helper is disabled.
- Go to Extensions > Extensions > IP Extension to create a new extension.
Note: If adding the Softclient as auxiliary extensions then select your extension to edit it, click Auxiliary Device and click New.
Under Advanced Settings set the following :
– Location: mobile
– SIP setting: sip_mobile_default
– Phone type: FortiFone-SoftClient
- In the FortiGate web interface navigate to System > Settings and ensure that Inspection Mode is set to Proxy.
- Go to System > Feature Visibility and enable the following:
– Multiple Security Profiles
- Next go to Policy & Objects > Virtual IPs and create Virtual IPs for the following services that map to the IP address of FortiVoice:
– External SIP TCP port of FortiVoice, if you have modified the sip_mobile_default to use UDP instead then configure the VIP for the External SIP UDP port.
– External HTTPS port of FortiVoice so that softclient can login remotely
- Create a Virtual IP Group for the above created service.
- Enable hosted NAT-T in VoIP protection profile for the inbound policy to prevent potential one way audio issue caused by NAT. In the FortiGate CLI create a new VoIP profile by entering the following:
config voip profile
set hosted-nat-traversal enable
set hnt-restrict-source-ip enable
- Set the SIP port that FortiGate should monitor for traffic, this would include the External TCP port configured on FortiVoice:
config system settings
set sip-tcp-port xxxx
Note: If using UDP, use set sip-udp-port.
- Set the interface that is connecting to the internet (WAN) as external to engage the SIP ALG:
config system interface
edit "port x"
set external enable
- Create a policy under Policy & Objects > IPv4 Policy in the FortiGate web interface for the Virtual IPs as follows:
– Set the incoming port as your wan1 port (or port connected to the internet).
– Set the outgoing interface to your lan.
– Set the Source to all.
– In Destination select FortiVoice, or the Virtual IP Group you created in Step 2.
– Enable VoIP and select the VoIP profile from the list you created in Step 3.
Latest posts by Mike Mielke (see all)