Specifications
MBG Engineering Guidelines, Release 8.0
small office and home NAT routers allow outgoing connections and responses to those outgoing connections.
Sites with more restrictive security policies may wish to use the following rules:
• Allow a bi-directional TCP connection to destination ports 6801 and 6802 on Mitel Border Gateway IP
address
• Allow bi-directional TCP connections to destination ports 3998 and 6880 on the Mitel Border Gateway IP
address (for 5235, 5330, 5340 and Navigator set features)
• Allow incoming UDP from source ports 20000 to 31000 on Mitel Border Gateway IP address
• Allow outgoing UDP to destination ports 20000 to 31000 on Mitel Border Gateway IP address
• Allow bi-directional TCP connections to destination ports 36005, 36006, 36007, 36008 and 37000 on the
Mitel Border Gateway IP address, if using UCA.
• Allow incoming and outgoing UDP to port 5060 on the Mitel Border Gateway IP address, if SIP support is
desired
4.2 TFTP Behavior
Mitel IP phones require a TFTP server that holds their set firmware and HTML applications. For remote phones,
this TFTP service is provided by MBG.
Previous versions of MBG bundled a version of the HTML Applications and served them directly. This caused
some trouble with keeping versions in sync, especially with multiple ICPs. Since release 7.0, MBG does a proxy
request to the appropriate ICP instead.
When an IP phone connects to its ICP, the ICP (MCD) may issue a File Download directive over the SAC
protocol connection. MBG intercepts these directives and downloads the file on behalf of the remote set. It then
sends a modified directive to the set instructing it to download the cached file from MBG. This ensures that the
set receives the same file that it would if it were directly connected to MCD. MBG will check periodically for
updated HTML application files at the ICP. The frequency of checks depends on the feature set supported by the
ICP. It could be as often as 10 minutes, and as infrequent as 24 hours.
Note: MBG's file downloader does not know about any ICPs until sets connect to MBG and thus get connected
to an ICP. This step happens after a set has already retrieved its firmware load via TFTP. Due to that, set
firmware loads are still bundled with MBG and are not fetched from the ICPs.
4.3 Firewall Configuration for Remote MiNet Devices
When MBG is deployed in the DMZ, the corporate firewall protecting the DMZ requires the following rules (in
addition to the common rules found in Firewalls (DMZ deployment)):
From the Internet to the MBG server:
• allow protocol TCP, destination ports 6801, 6802
2
, 3998 and 6881
• allow protocol UDP, destination port 20001 (and return traffic)
From the MBG server to the LAN (or just ICPs):
• allow protocol TCP, destination ports 6800, 6801, 6802, 3998, 3999 and 6880
• allow protocol UDP, destination port 20001 (and return traffic)
Note: This is a minimal configuration. Refer to Appendix A: Firewall Configuration Reference for the full set of
rules and optional settings.
2 Port 6802 is not required for Enhanced Security mode
22