FortiVoice Best Practices: FortiFone Softclient


When deploying FortiFone Softclient on your FortiVoice system there are numerous steps to take to ensure everything works correctly, while maintaining a secure network.

This recipe covers the best practices for a FortiVoice behind a FortiGate firewall running FortiOS 6.0 or higher.


FortiVoice Enterprise Configuration

  1. On the Dashboard, under License Information, load the Softclient license file to allow activation and registration of Softclients on the system.
  2. Go to Phone Systems > Advanced Settings > SIP and enter the following:
    – The external IP or FQDN in the Network
    – Configure the External SIP TCP port, and External SIP UDP port.
    – Configure the External HTTPS port.
  3. Under Advanced Settings, ensure that SIP session helper is disabled.
  4. Go to Extensions > Extensions > IP Extension to create a new extension.
    Note:  If adding the Softclient as auxiliary extensions then select your extension to edit it, click Auxiliary Device and click New.
  5. Under Advanced Settings set the following :
    – Location: mobile
    – SIP setting: sip_mobile_default
    – Phone type: FortiFone-SoftClient




FortiGate Configuration

  1. In the FortiGate web interface navigate to System > Settings and ensure that Inspection Mode is set to Proxy.
  2. Go to System > Feature Visibility and enable the following:
    – Multiple Security Profiles
  3. Next go to Policy & Objects > Virtual IPs and create Virtual IPs for the following services that map to the IP address of FortiVoice:
    – External SIP TCP port of FortiVoice, if you have modified the sip_mobile_default to use UDP instead then configure the VIP for the External SIP UDP port.
    – External HTTPS port of FortiVoice so that softclient can login remotely 
  4. Create a Virtual IP Group for the above created service. 
  5. Enable hosted NAT-T in VoIP protection profile for the inbound policy to prevent potential one way audio issue caused by NAT. In the FortiGate CLI create a new VoIP profile by entering the following:
    config voip profile
         edit SIP_IN
              config sip
                   set hosted-nat-traversal enable
                   set hnt-restrict-source-ip enable
  6. Set the SIP port that FortiGate should monitor for traffic, this would include the External TCP port configured on FortiVoice:
    config system settings
        set sip-tcp-port xxxx

    Note: If using UDP, use set sip-udp-port. 
  7. Set the interface that is connecting to the internet (WAN) as external to engage the SIP ALG:
    config system interface
        edit "port x"
            set external enable
  8. Create a policy under Policy & Objects > IPv4 Policy in the FortiGate web interface for the Virtual IPs as follows:
    – Set the incoming port as your wan1 port (or port connected to the internet).
    – Set the outgoing interface to your lan.
    – Set the Source to all.
    – In Destination select FortiVoice, or the Virtual IP Group you created in Step 2.
    – Enable VoIP and select the VoIP profile from the list you created in Step 3.