I am trying to connect a 9971 over a VPN tunnel back to my call manager. I have a wide open tunnel back to my end. I have to open up ports on the firewall that is in front of call manger. I have tftp and sip opened up. I can see the the phone trying to talk to the tftp server on call manager as the firewall rule is incrementing. The phone isnt registering with call manager.
I can ping the phone from Call manager, so it has no problems in talking to it over the tunnel.
Any tricks to getting the 9971 to work over a VPN tunnel or any ports beyond SIP/TFTP to have open ?
Usually you do not have to open ports directly back to your CUCM but it sounds like you are trying to provision and connect the phone without having to bring the phone to the internal network. Usually the phone is provisioned and registered internally first. The internal provisioning allows the phone to download its TFTP configuration which contains the VPN URL and the certificates the phone trusts for the VPN connection.
If you look at the phone's Status messages, Settings button > Admin Settings > Status > Status Messages, what do you see there? Do you see a VPN icon on the applications menu and if you do if you select it is the VPN URL populated properly? If all of that looks good the last step is to make sure you do not have "auto network detect" enabled in CUCM for your VPN connection. The phone will check what it has configured for it's alternate TFTP and try and ping it, if the ping works the phone determines it is internal and will not start the VPN.
I am going through a local ASA 5505 where the phone will be located. So it isnt doing its own VPN connection. My boss decided that he wanted to use a Remote ASA to do this and then have the phone plug into the ASA. I then was given the gear to get it working.
Do you have a point to point VPN between the branch ASA and the headquaters firewall?
If you have an IPSEc tunnel with a split tunnel with the CUCM added you could had communication with your CUCM from the branch.
You can try registering an IP Communicator first.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.