I have received a few emails over the months regarding getting ISA 2004 to work with Vonage. I suppose it should really be getting Vonage to work with ISA 2004. So I decided to type up my resolution to this problem.

I have been running Vonage with my VoIP adapter behind the firewall since I started the service. I have to admit, I set it up pretty simply and with not near the level of security that I should have, so I decided to tighten things up for the purposes of this post.

My configuration – ISA 2004 Enterprise running on Windows 2003 R2 Enterprise and using the Motorola VT2442 VoIP router.

Config

First, I use my ISA server as my DHCP server for my local LAN.  I have seen other posting for assigning the WAN interface of the VoIP adapter a DHCP address and then creating rules in ISA to support that. However, I like simplicity. I also like the idea of my phone having as much uptime as possible so by eliminating DHCP issues, I don’t have to worry about losing phone service if there were ever a problem with DHCP. I decided to create a reservation in DHCP for the address I assigned the VoIP adapter, then I statically assigned that address to the WAN interface. I also provided the subnet and default gateway (pointing to the ISA server internal LAN interface). This is a one time config, I know what the IP will always be, and no worries about DHCP issues.

I also disabled the firewall on the VoIP adapter and allowed pings to the external interface. Now I can set up a connectivity verifier in ISA to alert me if the VoIP adapter is ever unreachable.

The next step is to find out what ports Vonage uses. I fired up the ISA monitor and filtered on Client IP of 10.0.0.222 as per my set up in the graphic. This allows me to see what kinds of communications requests are being sent from the VoIP adapter. On a whim, I decided to hit the Vonage site to see how helpful it would be. Lo and behold, I quickly found the ports Vonage uses — Outbound communications — UDP 53 (DNS), UDP 21,69,2400 (TFTP), UDP 80 (HTTP), UDP 123 (NTP). I did not have to use UDP 5061 (SIP) since my device is newer. There is also a huge range of UDP ports that need to be allowed for Inbound and Outbound — UDP 10000 to 20000. All of the other ports are predefined by service type within ISA.

RTC

For this latter range, I created a new protocol in the ISA toolbox called RTC and provided the range. Since Vonage VoIP adapters “call home” to establish their initial communications pathway, I set the direction to be Send Receive. This means the VoIP adapter can call home and keep the ports open for the inbound communications. It also means we don’t have to create and publishing rules since all of the communications are initiated by the VoIP adapter from behind the ISA firewall.

 

 

Compobject

I flipped back to my monitoring and confirmed the ports provide by Vonage were all that were necessary and it all match up. Since I want to limit the ports the VoIP adapter is using, as well as limit what ports are accessible from the outside world, I decided to create a computer object to represent the VoIP adapter and to simplify creating the firewall policies.

This is also accomplished through the ISA 2004 toolbox.

 

 

 

 

Now it is time to create the firewall policies.

Policy

Again, since all communications are initiated by the VoIP adapter, there is only a single rule that is necessary. Since we defined the RTP (Vonage) rule as Send Receive, it too can be included with the policy. As you can see from the graphic above, we simply allow only the protocols needed by the Vonage “computer” object to the External network. Since no publishing is involved, we don’t need to worry about opening any additional inbound ports on the firewall. And since the RTC protocol definition is designated as Send Receive, those ports are only opened when a call is call is made or accepted and are only open for the duration of the call.

Simple, Secure, and it works.

I hope this helps for those of you that have had issues or wish to secure it a little more. You can accomplish the same thing with an “Allow All Protocols” rule, but I like having the comfort of know the adapter isn’t doing more than I want it to. This solution provides for easy monitoring and a minimum number of changes to your ISA config.

 

Cheers!