Mitel HX 5000 SIP and VoIP ports

I am just setting this down as a resource for those trying to get Mitel IP Phones, SIP trunks or SIP devices working on a 5000.

Mitel Handsets.
The following ports need forwarding on your router to the internal IP of the phone system.

69/UDP - FTP port for downloading firmware to phone
20001/UDP - Alternative FTP port if 69 is not available or you want it closed for security
6800-6802/TCP - Call Control
3998-3999/TCP - Call Control
6004-7039/UDP - Voice transmission to 5000

You need to remember to set the IP Extensions Network properties to NAT and make sure that the IP Connections NAT address is the public IP of the router.

This appears to work the majority of the time. We have found BT Homehubs to be particularly likely to fail to work at the remote end and they are so locked down in recent releases you may not be able to get a phone to work with them.

Inter-tel Handsets
5566 TCP - Control
5567 UDP - Control
6004-7039 UDP - Audio

SIP Trunks
We seem to find that it differs from router to router whether it will work at all, and we have found most success when the routers own SIP algorithm is turned off and the system allows for this.

The problem with SIP and NAT is that if the phone system is set in default the the SIP packets go out with the internal IP address of the phone system in them. Then the responding party doesn't know which public IP  address to send them back to.  The 5000 can be told the public IP and insert it in the SIP packets. That way the SIP packet wrapper and the payload both have the same IP address in them.

Dependant on the provider and the router used you may not need any port forwarding. I prefer on our Netgear FVS338 to leave port 5060 closed. 'But how will a sip call get in?' I hear you cry.  If SIP Pinging is turned on in the system, the phone system will send an OPTIONS message every minute to the SIP server on the internet, thus opening port 5060 but only for packets returning from the sip server, thus protecting you from continual SIP hacker attacks.

However with some routers/firewalls you will have to do port forwarding.


5060/UDP & TCP - SIP signalling.
Set Sytem NAT public IP address in both IP Connection and in System IP Settings to match the public IP of the router.

In the SIP Peer Group set the NAT type to 'Non SIP aware NAT' if the router SIP alg is off.

EDIT - SIP ALG - Usually when behind NAT you would set the phone system to NAT, however if the router has a SIP ALG then this attempts to sort out the NAT issue and can cause conflict.  Either set the phone system to NO NAT OR SIP AWARE NAT or turn off the SIP ALG.
On a Draytek (my favoured router) issue the below commands from SSH to turn off SIP ALG
sys sip_alg ?  (this will offer help and tell the sip alg status.)
sys sip_alg 0  (to turn off)
sys commit
sys reboot

----------------------------

SIP Devices
These are the really tricky ones and you may need to get a border controller installed for security and for devices to work at all. The SIP port has to be open for access from any IP address, as you don't know where your mobile SIP user may end up. This could therefore defeat protection put in place for SIP trunks. As the RTP stream may be initiated from the device.
You will need to open


5060/UDP & TCP - SIP signalling.
You may need to forward RTP ports for voice transmission, dependant on device.
The SIP Phone group has a NAT setting which will need to be set for NAT
Set Sytem NAT public IP address in both IP Connection and in System IP Settings to match the public IP of the router.


While the above is my experience I am open to suggestions and additional information, so please post a response if you have anything to add.

John Rogers
Telecom Care Ltd