In-Telecom recommends that the phones be on their own network separated into a different zone from the Data network.

Ensure that the interface the Phone Network is on is assigned to that Phone zone.

General Firewall Settings

Ensure that SIP ALG has been disabled on the SonicWALL.

To do this, go to Security Configuration – Firewall Settings – Advanced Settings on the MANAGE tab.

Ensure that Enable Stealth Mode and Randomize IP ID are enabled.

Next, ensure that the default UDP timeout is set to 90 seconds.

To do this, go to Flood Protection under Security Configuration – Firewall Settings – Advanced Settings and click on the UDP tab. Change the Default UDP Connection Timeout (seconds) value from 30 to 90.

Next, ensure that "Enable consistent NAT" is enabled. 

This is configured under System Setup - VOIP on the MANAGE tab. 

NOTE: Once the above changes have been made, the SonicWALL will need to be rebooted. 

Address Object Creation

Next, create an address object for the ITC Cloud Servers.

This is configured under Polices - Objects - Address Objects on the MANAGE tab.

Create the below Address Objects:

    Name: ITC Cloud Server

        Zone Assignment: WAN

        Type: FQDN

        FQDN Hostname: endpoints.itccloud.com

    Name: Avaya Provisioning Server    

        Zone Assignment: WAN

        Type: FQDN

        FQDN Hostname: des.avaya.com

    Name: Yealink Provisioning Server

        Zone Assignment: WAN

        Type: FQDN

        FQDN Hostname: rpscloud.yealink.com

    Name: Mediatrix Provisioning Server

        Zone Assignment: WAN

        Type: Host

        IP Address: 192.99.54.246

An example Address Object is shown below

Once all the Address Objects have been created, create an Address Group called "ITC Cloud Servers" and add those Address Objects to the group.

Service Object Creation

Next, create a Service Object for the below services. Once all the services have been created, create a Service Group called "ITC Cloud Services" and add those Service Objects to the Service Group.

    Name: ITC Cloud RP

        Protocol: UDP (17)

        Port Range: 3000-65000

    Name: ITC Cloud Portal

        Protocol: TCP (6)

        Port Range: 8001-8001

    Name: ITC Cloud Mobile

        Protocol: TCP (6)

        Port Range: 9002-9002

    Name: ITC Cloud SIP - TCP

        Protocol: TCP

        Port Range: 5080-5080

    Name: ITC Cloud SIP - UDP

        Protocol: UDP

        Port Range: 5080-5080

Access Rule Configuration

Next, add the previously created Address Objects and Service Objects to the access rule for the Phones to WAN Zone.

This is configured in Policies - Rules - Access Rules on the MANAGE tab. Filter the "From" zone to Phones and the "To" zone to WAN.

Click the Pencil icon on the Purple v4 rule. 

On the General tab, adjust the below settings:

    Name the policy "ITC Cloud Policy"

    Change the service to the ITC Cloud Services service group created previously

    Change the Destination to the ITC Cloud Servers address group created previously

On the Advanced tab, change the UDP Connection Inactivity Timeout (seconds) from 30 to 90. Leave all other settings default. 

On the QOS tab, change the DSCP Marking Action to Explicit and change the Explicit DSCP Value to 46 - Expedited Forwarding (EF).

Click OK to save those changes. 

Exclude Address Group from Security Services

Lastly, ensure that the ITC Cloud Servers address group is excluded from all Security Services. 

This is configured under Security Configuration - Security Services on the MANAGE tab. 

First, click on the Content Filter section. Under the CFS Exclusion section, enable Exclude Administrator. Then select the ITC Cloud Servers address group created earlier. 

Follow the same process for the remaining security services and ensure that the ITC Cloud Servers address group is set as the Excluded Address.