FlexPBX - Sophos UTM - 9 and Sophos XG Configuration
FlexPBX - Sophos UTM - 9 and Sophos XG Configuration
Known Issues
- This appliance is a Linux based firewall. Without a correct configuration, they will cause intermittent SIP registration and call quality issues for VoIP based services.
- This appliance does have The SIP Module (also known as SIP ALG) enabled by default. Follow the steps described below to disable SIP ALG.
- This appliance have a UDP timeout of 60 seconds by default. See below for steps to modify it.
Configuration
- Login to the firewall
- Click on Network Protection > Firewall
- Add the following two rules, please note, these are not designed to adversely impact any rules that have already been created for your organization.
- Click on the button New Rule.
- From the Group selection list, select New group
- Name this group: VoiceServicesIn
- Position: This will be determined based upon any rules already in place. At this time, there are not any known issues with the particular numbering order of these rules.
- Sources:
- You will need to create address objects that pertain to the FlexPBX VoIP product being used. Please contact Summit to obtain the IPs that need to be whitelisted.
- Services:
- You will need to create service objects for IP ports that pertain to the FlexPBX VoIP product being used. Please contact Summit to obtain the necessary Port ranges that need to be added as Service Objects to your firewall.
- Destination
- Click on the folder icon at the top of the destination box to load the predefined variables.
- From the list of pre-defined variables, drag the following option the destination box:
- Click Save after completing this rule.
Note: after creating the above rule, the above variables will be saved in the Pre-configured list and the outbound rule will be a drag-and-drop process, so the particular ranges and variables will not be specified. If you are unsure, reference the rule parameters above.
Note: Within the Sophos UI search function, search for NTP, and it will pop in as a preset service. From here you can drag and drop the service object into the active services window. Be sure to then attach this service object to the service group as well. This will cause the date and time to synchronize properly on the phones.
- Create the second rule by clicking on the New Rule button:
- From the Group selection list, select New group
- Name this group: VoiceServicesOut
- Position: again, this will be based on any rules already configured.
- Sources: Click on the folder and load the pre-configured variables.
- Drag the option: LAN1 (Network)
- Services: Click on the folder and load the pre-configured variables.
- Drag the options for the address objects for IPs created earlier.
- Destination: Click on the folder and load the pre-configured variables.
- Drag the options for the service objects for ports created earlier.
- Click Save after completing this rule.
- Within Network Protection top menu, switch from Firewall to NAT
- This part may or may not be required. If your Sophos appliance was already passing traffic to/from the internet, then this step can be disregarded.
- Click on the New Masquerading Rule
- Network:
- Click on the folder button to load the pre-configured options.
- Drag the Any option over.
- Position: 1
- Interface: WAN
- Save.
- This appliance is QoS capable and this will have to be evaluated based upon your available ISP bandwidth.
- The primary recommendation is to set this based upon the WAN interface.
- Interface and Routing > Quality of Service (QoS)
- Click Edit for the WAN interface
- Set the Downlink and Uplink utilizing the following speedtest here.
- Check the box for Upload optimizer.
- Click Save.
- The final step is to set the DNS Forwarders
- Network Services > DNS
- Select the Forwarders tab
- In the dialog box, click on the green + button
- Add two forwarders
- Name: Google1
- IPv4 Address: 8.8.8.8
- Save
- Name: Google2
- IPv4 Address: 8.8.4.4.
- Save
- Uncheck the box: Use forwarders assigned by ISP
How to disable SIP ALG
SIP ALG (also known as SIP module) can be disabled by following the steps below:
- Log in to the Command Line Console (CLI) using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner
- Choose option 4. Device Console.
- Execute the following command: console> system system_modules sip unload
How to increase UDP timeout
Sophos XG Firewall has a default UDP time-out of 60 seconds which is usually low for reliable VoIP communication.
- Log in to the Command Line Console (CLI) using Telnet or SSH. You can also access the CLI from admin > Console in the upper right corner
- Choose option 4. Device Console.
To verify the current UDP time-out value run the following command: show advanced-firewall
- To modify the UDP time-out value to 300 seconds, run the following command: set advanced-firewall udp-timeout-stream 300
Related Articles
FlexPBX VLAN Configuration
The FlexPBX standard handset supports the separation of Voice and Data using virtual lans or VLANS. The advantage of separating the voice and data is the traffic priority can be assigned to the voice traffic ensuring good audio quality. To configure ...
Flex Best Practice - How to rename a phone in FlexPBX
How to rename a phone in FlexPBX This is the best practice method of renaming a phone when a staff member changes position or jobs. Log onto the tenancy in FlexPBX Portal First remove the device from the user : Click 'Users' (see picture 1) Locate ...
FlexPBX - Quick Start Guide
Basic Call Features in Flex PBX Making a Call Dial the number of the keypad. Your call will automatically connect (may take up to 5 seconds); alternatively, you can press the Send soft key (Button 12). You can also press the Speakerphone key or the ...
Summit 3CX SIP Trunk Configuration
Summit 3CX SIP Trunk Configuration This article covers the configuration of a Summit SIP trunk on 3CX PBX and the setup of inbound numbers. Requirements You will need to have the following Provided Summit Internet with the IP of your 3CX Instance ...
FlexPBX Feature Codes
List of feature codes Here is a list of feature codes you can dial on a phone that is in the FlexPBX system. Call Forwarding Enable Call Forwarding (*72) This feature code is used to exclusively enable call forwarding. The default code is “*72”, and ...