First I went to the Global SIP screen and set things up in the usual way so that the phone had the information needed to register to the PBX, etc.

This would work great if the phone could route directly to the PBX and back again but with Network Address Translation occurring on my end throws a monkey wrench into the works when it comes to SIP and RTP.

So next I looked on the Network settings. This is where all of the NAT options live. With typical cable or DSL service, I'd just set a STUN server, maybe check the Rport box and go. In the case of the Uverse 2Wire Residential Gateway, however no combination of these options that I tried worked.

So in the end it seemed necessary to take a look at the available settings on the 2Wire device and see what my options were. There weren't many.

I ended up explicitly allowing the UDP ports that the phone uses. On the Uverse gateway. Here are the steps:

First I went to the Firewall tab and then Firewall Settings. I selected the phone from the Computer drop down and selected "Allow individual application(s)" like so.

Next, I clicked Add a new user-defined application and created a user-defined app as below.

The phone sends and receives RTP traffic on ports beginning with UDP 3000. I opened up ten ports allowing for five simultaneous calls. This seemed like more than enough for my purposes.

When I was done I clicked "Add Definition" and then the new user-defined app was ready to go. I Selected it on the following page, clicked Add, and then Done. After that the phone worked great.

What I did find odd is that I didn't need to define a stun server on this phone to get it to work in this situation. The 2Wire residential gateway must do some sort of manipulation of SIP packets because from what I could tell all of the fields looked correct with the appropriate public IPs in the right places.

It's unfortunate that the phone couldn't be made to work without making changes to the firewall. But something with the way that the 2Wire handles RTP seems to make it necessary.

Enjoy!

Matt

Switch Configuration

We used a Dell PowerConnect 6248 switch in this case. During R&D for this project I also made 802.1x authentication work on a PowerConnect 6024 and a Cisco Catalyst 2950 series. I actually made things work with the Catalyst first by following this article http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html. The important bits of the config for the PowerConnect 6248 are as follows:


*snip*
! This enables dot1x globally
dot1x system-auth-control
! This sets up the radius server. 192.168.1.5 is a Windows Server 2003 server running IAS
aaa authentication dot1x default radius
radius-server key "abcdefg"
radius-server host 192.168.1.5
exit
!
! This port requires authorization. This is the default.
interface ethernet 1/g1
exit
!
!This port is forced into an authorized state.
interface ethernet 1/g2
dot1x port-control force-authorized
exit

Windows Client and Server Configuration

To configure the clients and server I used this article: http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm.

This article pretty much got me where I needed to be but here's a couple of things to note.

1. You have to make the registry change found on Page 13. There doesn't seem to be any way around it. If you find one, let me know. The plan is to make the change in a logon script.
2. How your computer names are stored in the certificate issued to the clients is important. The default settings had been changed on the system in this case and this caused some problems. I successfully used a Subject Name Format of None and checked DNS name. I also used a subject name format of Fully Distinguished Name with nothing checked underneath. I do not fully understand these options so YMMV.

Keeping that in mind you shouldn't have any problems implementing this using the two articles that I linked to. I may eventually get really motivated and take screen shots.

UPDATE!

I spent manyl hours over the last couple of weeks trying to get this to work well in production.  We were seeing very odd behavior.  At times ports that had been moved to the guest vlan would mysteriously be moved vlan 1 once the host was disconnected and would stay their for long periods of time.  Vlan 1 does not normally contain any ports with this configuration.  At once point we had two ports stay in vlan for more than eighteen hours.  It was weird to say the least.

We tried my Catalyst 2950 in the customer's production environment and it worked perfectly and exactly as I would expect it to.  We finally gave up on the PowerConnect and my customer decided to just buy some used 24 port Catalyst 2950s.

What we ended up doing was creating a trunk port on the PowerConnect 6248 that supplied both the guest and trusted vlans to a trunk port on the catalyst.  Since my Catalyst is not layer 3 capable the PowerConnect still handled routing, DHCP relay, and ACLs.  The Catalyst was just responsible for 802.1x.

When I get my switch back I'll post the important bits of the config.

It turns out that when you start your web browser and you have automatic proxy detection enabled it attempts to find a file at the URL http://wpad.yourdomain.tld/wpad.dat. In my case it would try for http://wpad.mattscott.org/wpad.dat. If that file is found it runs the javascript in it and sets the proxy settings to however they are defined in the wpad.dat file. Here's what we did. I'm using example.com as my domain to protect the guilty.

Create a DNS Record

We created a CNAME for wpad.example.com that pointed to a web server. In this case a Microsoft Small Business Server 2003 running IIS. An A record would work okay too but given the fact that this will probably never be a server's primary name record a CNAME made sense to me.

Create wpad.dat

Now you need to create your wpad.dat file. We found several examples on the web. Here's an example. Google can help you find more:

function FindProxyForURL(url, host)

{

if (shExpMatch( host, "192.168.1.*" )

|| shExpMatch( host, "127.*" )

|| shExpMatch( host, "localhost" )

|| shExpMatch( host, "*.example.com" )

|| isPlainHostName( host )

|| dnsDomainIs( host, ".example.com" )) {

return "DIRECT";

}

return "PROXY proxy.example.org:8080;";

}
The first section inside the if block tells the browser to connect to the destination server directly if one of those conditions are met. You'd normally do this to bypass your proxy for a host on the local LAN. The second section is where you define the proxy for use with everything else. It's just a javascript function so you could probably go pretty crazy with the thing if you wanted to.

Once you've created your file copy it to the root of your web server. One thing that we noticed was that IIS wouldn't server the file initially because it didn't have a mime type for a .dat file. So we added a mime type of application/x-ns-proxy-autoconf for .dat files and we were good to go.

Create a DHCP Scope Option

The last thing we did was create an option in our DHCP scope to define where your wpad.dat file is. I don't believe his isn't strictly necessary since a machine should generally attempt to connect to a host called wpad in its own domain. I see it as a good idea though because you might run into issues if you ever have guest machines on your network or if you are using some sort of split DNS tunneling over a VPN client or something like that. It was a recommended step so we did it in DHCP on a Windows Small Business Server 2003.

Create an Option 252 Entry in DHCP

To create an Option 252 entry in DHCP, do the following.

Unless I left something out, that about does it. All you should have to do is to check the Automatic Proxy Detection box in your browser and you should be good to go. In Internet Explorer you can sort of push this setting down via GPO. Of course it's one of those whacked out policies that users can mess with if they know how. In Firefox I am not aware of a way to automate this but I'm sure somebody's written something.

Enjoy!