Thursday, August 16, 2012

ShoreTel Reverse Proxy for Mobile Communicator

I recently ran into an issue when attempting to create a reverse proxy between the ShoreTel HQ server and the outside world. I thought I would share the steps I took to get this working.

Scenario: You have purchased the Mobile Access License which allows the utilization of the ShoreTel Mobile Communicator via a smart phone from the 3G/4G network. Now, in order for mobile access to work, ports 80, 5447, and 5449 need to be opened to allow authentication and traffic. Giving access to your ShoreTel server over port 80 from the outside world is never recommended, so building a proxy server to translate one random port to the three ports mentioned above is best practice.

Before you continue reading, download and read through the official ShoreTel Application Note#10370 found here.

Please use the steps in the application note to get everything set up. I followed this guide myself, but due to the document being outdated I had to make certain changes in order to get this working. These changes are as follows.
  • Do not use port 5500 as specified in the application note. As of ShoreTel 12, port 5500 is in use by DTAS. Not sure why this would affect this scenario, but it did. Use any other random port, like 5505 for example.
  • Change the web.config file to the following (additions in red):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ShoreTel Authenticate Redirect" stopProcessing="true">
<match url="^authenticate(.*)" />
<action type="Rewrite" url="http://shoretelhq.internal.name:80{R:1}" logRewrittenUrl="true" />
</rule>
<rule name="ShoreTel CAS Redirect" stopProcessing="true">
<match url="^cas(.*)" />
<action type="Rewrite" url="http://shoretelhq.internal.name:5447{R:1}" logRewrittenUrl="true" />
</rule>
<rule name="ShoreTel Director2 Redirect" stopProcessing="true">
<match url="^director2(.*)" />
<action type="Rewrite" url="http://shoretelhq.internal.name:5449{R:1}" logRewrittenUrl="true" />
</rule>
</rules>
<outboundRules>
<preConditions>
<preCondition name="IsHTML">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<urlCompression doStaticCompression="false" doDynamicCompression="false" />
</system.webServer>
</configuration>
  • Restart IIS
This is all I did to get it working. All it took was a little google fu and a packet capture.

7 comments:

  1. Thanks. If there is something specific that you would like me to write an article on with regards to ShoreTel, let me know.

    ReplyDelete
  2. Hi

    Can you please provide full steps to doing this

    ReplyDelete
  3. Everything works but we turn on AD integration in SW Director for a user, they cannot login via the app.

    ReplyDelete
    Replies
    1. Unfortunately, I do not have AD integration turned on in my test environment so I cannot test this. My guess is that the remote client is attempting to authenticate to AD and is getting blocked or something. I would check the ShoreTel KB to make sure that AD integration doesn't break reverse proxy in general.

      Delete
  4. Anyone else having issues with URL Rewrite not importing the web.config file?

    ReplyDelete
  5. I am having an issue connecting with my phone. I followed the webconfig and setup ports in my firewall etc....but the only indication is the window, Cannot logon to server!

    ReplyDelete