How to set up L2TP VPN in Cyberoam

If you need a super easy VPN that can be used without buying a software client like Cisco VPN Client, then L2TP is definitely the way to go. Windows 7, Vista and XP all have a built-in VPN client that can hook up to it. It’s a really good alternative to traditional IPSEC especially for your road warriors.

 L2TP Connection Setup

  1. Log into your Cyberoam and click “VPN” on the left hand side.
  2. Select L2TP and fill in the blanks.
    1. The Local IP address should be the one corresponding to the LAN port on your Cyberoam.
    2. “Assign IP” should be a range of UNUSED IP addresses on your Local Network. I selected a range of 10. For example if through were not used for anything on your network and could be reserved for this, place those IP addresses in these field.
    3. The DNS server blanks should be your internal network DNS servers so that your users can hit your internal servers without IP addresses. Please see the note below on client set up as I’ve run into a couple of issues with this.
    4. You can add a WINS server, but who uses WINS anymore?
  3. Once you’re done there click on save, then click the policy tab.
  4. You can use the Default L2TP policy, I know it works just fine.
    Capture of Cyberoam L2TP settings
  5. Select pre-shared key in the drop down and put in a good strong passkey for your connection. Cyberoam will typically recommend a simple number sequence for testing purposes and to insure you confirmed it correctly on both ends. You can start out with something like “12345678” but please change this after you’ve tested it.
  6. The WAN port should be the internet facing IP address your users will be entering into Windows. Please note that if you don’t have a static IP address for your internet connection, you’ll need to use a dynamic DNS service or configure Cyberoam’s dynamic DNS service.
  7. I usually check the “Allow NAT Traversal” checkbox. This helps if your end users are behind a router somewhere.
  8. Set Remote LAN Network to “Any” as you might not know how the other end’s network is set up.
  9. Leave remote ID like it is.
  10. Leave the Quick Mode Selecters as default (it should look like the picture above), unless you know you need a different port.
  11. Click Save, and activate the connection.

L2TP users

I like using Active Directory Integration anywhere I can but for some reason the Cyberoam doesn’t like LDAP users authenticating to it over VPN. I might have a setting wrong, but I’ve never gotten this to work right anywhere I’ve installed one. If  you have LDAP/AD integration set up, you’ll just need to add extra users in the Cyberoam for L2TP access. If you imported all your users manually then you can just go into users you want to give access and select the L2TP enable box.

Setting Up Windows VPN

I assume Windows 7 for this. Vista directions are almost identical, XP should be easy to figure out. I would imagine Windows 8 uses the same basic wizard as Vista/7.

  1. Go into your network and sharing center and click “Set up a new connection or network”.
  2. Select “Connect to a Workplace” in the next window. Click Next.
  3. Select “Use my Internet Connection (VPN)”
  4. Type in the IP address you selected in step 6 when you set up the L2TP connection on the Cyberoam. You can also put a DNS name here if you want (Like if you use dynamic DNS or have a DNS record set up on the internet for this IP). Name the Destination. I also will typically select the “Allow other people to use this connection” if multiple usernames will be used on the target computer. Click Next.
  5. Put the username and password in on the next window. These are the Cyberoam user names. Again if you use LDAP you may or may not be able to use your normal Windows login credentials here. I typically don’t send the Domain if I set up Cyberoam specific usernames for this. Click Next.
  6. It will attempt to connect, but you want to skip that because you need to enter a pre-shared key into the Windows settings.
  7. Go back into Network and Sharing Center and click on “Change Adapter Settings”.
  8. You’ll see the VPN connection you just set up here. Right click on it and hit properties.
  9. Everything on the General Tab should be fine. Click on the Options tab. I typically uncheck “Send Windows Domain” since you are logging in with a Cyberoam account. Click on PPP Settings and make sure the bottom two boxes are unchecked.
  10. Click on the Security Tab. Change “Type of VPN” at the top to “L2TP”, this will save a LOT of login wait time. Click the Advanced button under the drop down and select “Use preshared key for authentication”. Enter the same key you put into the Cyberoam in step 5.
  11. Under Data encryption I will select “Optional Encryption” for testing purposes. Required encryption works fine though.
  12. Select “Unencrypted password (PAP)” under the allowed protocols. I usually just do this to test the connection, I take it off for production.
  13. Click the Networking tab. It’s a good idea to manually enter the DNS servers under the IP4 properties. For some reason the DNS servers aren’t always transmitted to the client.
  14. Click OK.

You should be able to connect just fine. Remember you’ll need to test this outside your own LAN. The only problem I’ve had with this method is that the connection occasionally needs to be reset by de-activating and re-activating it under the L2TP connections tab in the Cyberoam. I wouldn’t use this for more than a few users.

The main reason you won’t be able to connect is if you typed the pre-shared key incorrectly. The second reason is usually an incorrect user/password combination. The third biggest reason is the connection needs to be reset as mentioned above. Also I’ve never been able to get more than one remote user per site to be able to connect successfully. So don’t do this and send teams of people to one place on a shared internet connection and expect them all to be able to connect.



ShoreTel Communicator Not Installing Properly – Fixes

If you’ve got a new ShoreTel system install, there are a few things that can go wrong with installing Communicator on people’s machines. Several problems I’ve run into are the following:

  • ShoreTel Communicator install isn’t writing the registry key. It seems to install fine otherwise.
  • Communicator fails midway through the installation.
  • Communicator demands to have .NET Framework 3.5 installed, but can’t download it.
  • Some other dependency won’t install.
  • Pushing Communicator out through Group Policy doesn’t work.
  • Pushing Communicator out through Desktop Authority (or similar software) doesn’t work.
  • Communicator asks for a password to install.

Most of these problems are not actually problems with ShoreTel Communicator, they’re security policy conflicts. Here’s how to remedy these 99% of the time.

  • Turn off UAC in Vista if you can. This is a big one, it screws up some older versions of the install package. Most of the stuff UAC controls, you can control with group policy. This assumes you have a domain.
  • Try to install Communicator from a local administrator account. Sometimes running it as Administrator won’t cut it, especially if you’ve got roaming profiles and such.
  • Do a Full Uninstall of Communicator. You must be logged in as an Administrator account. I use the local Administrator account when I do this for speed reasons. Here are the steps:

Step 1– Uninstall Communicator the normal way. If this fails, just skip to the next step. If it succeeds, well you need to do the following steps anyway.

Step 2 – Delete the following folder: “C:Program FilesShoreline Communications”. Delete all of it. Use one of those disk wipe utilities if you have to. If ANYTHING is in here, this can cause the install to fail. If you see a Shoreline Teleworks folder here too, get rid of it.

Step 3 – Delete the following registry key: “HKEY_CURRENT_USERSoftwareShoreline Teleworks”. Usually you’ll find one under HKEY_LOCAL_MACHINESOFTWAREShoreline Teleworks. You may also see a “Shoreware Communications” or similar key. This is usually because of an older install on the computer. Shouldn’t see this with a brand new install.

Step 4 – Go into Control Panel and click on Phone and Modem. You may have to set this up, just entire an area code, the number 1, and the number 9 in the blanks.

Step 5 – Once you have the Phone and Modem thing set up, click on the Advanced tab and make sure to delete any entry here with “ShoreTel” in the name. Normally you will see one entry: “ShoreTel Remote TAPI Service Provider”. If you see two like this, that’s why ShoreTel isn’t installing right, or isn’t working right once installed.

Step 6 – Click OK and Reboot your computer.

Step 7 – Once you’ve done this, log back into the computer under the same local administrator account and re-install Communicator. It should install just fine.

Step 8 – Log into the user’s account, run ShoreTel again and let it finish setting up.

  • Sometimes it’s not Communicator or any security policies but a corrupt user profile. Remove the user profile and many times that will fix the problem as well.

I’ve found that if you get to step 8 of the “Full Uninstall” and it isn’t remembering settings, meaning it won’t write the registry values, that you need to turn UAC off if at all possible.You may need to delete the ShoreTel registry keys from the current user as well. You might have to log in back as an administrator and load that user’s hive if your permissions don’t allow you to do this from their account.

A tool that can help is Privilege Authority from ScriptLogic. That’s cleared up a lot of problems for us. They have a free version that will help you solve this.  There is a ShoreTel Communicator rule in the Community. If you have a 64 bit version of Windows you’ll need to alter the path of where it looks for the program (just add (x86) to the Program Files part of the path).

If you’re upgrading your ShoreTel installation you’ll get some similar problems to above. The Full Uninstall method will clear these up too. One odd problem I’ve found when pushing Communicator through Group Policy or Desktop Authority is that it doesn’t always uninstall the old version correctly. You’ll know this happens when you see two entries for ShoreTel Communicator, and one may or may not have the icon filled in. This requires you to do a Full Uninstall and then delete all the registry keys. After you’ve done this you’ll need a tool like CCleaner to remove any entries in Programs and Features.


PRI Trace on ShoreTel Switch

This post is about how to do a PRI trace on a ShoreTel T1 switch. I couldn’t find good text instructions on how to do this on the internet. Dr Voip has instructions on how to debug caller ID but if you need a trace log, it won’t help much. It’s probably in the ShoreTel knowledge base, but I’ve been a little disappointed with this in the past. I won’t go into how to interpret the output either, this is just instructions on how to get a log easily for sending to your ShoreTel partner for analysis.

ShoreTel Partners: Feel free to send this page to your customers for instructions. I feel this is a thorough explanation of how to do this.

First things first, you’ll need some special software for this one. You’ll need a telnet client with logging ability, what comes with Windows is difficult get to log easily. Personally I like PuTTy. It’s a nice standalone application, and doesn’t need you to install it anywhere, just copy the putty.exe file wherever you want it, it’ll run from there. I keep it on my desktop at work, and on a shared folder.

The second thing you need to know is that you MUST do this from the ShoreTel server itself. This can be accomplished with a Remote Desktop session, you can not do this from a session on another computer.

  1. Remote into the ShoreTel server (or log in from the console), and fire up PuTTy. I keep a copy of PuTTy on my ShoreTel server, on the desktop of whatever admin account I’m logging in with.
  2. You’ll want to make a saved session for your T1 switch. So open ShoreTel Director and open the Quick Look page if it doesn’t go there by default. Click on whichever site has the T1 switch you need to get the log from. Make note of the IP address of that T1 switch. You’ll need it a lot.
  3. In PuTTy select “Telnet” and type (or paste) in the IP address of the switch up top under “Host Name (or IP address). One trick you can do is add an entry in your DNS server called “priswitch” and connect it to that IP address. Makes things a lot easier, just never change the IP. Go ahead and give it a label in the “Saved Sessions”  and click save. If you need to, select what you just saved and click “Load” to make sure it’s the session that is now active. You’ll know if you need to if the IP address field is blank.

    PuTTy settings for connecting to a ShoreTel switch.
    Yes, I censor IP addresses.
  4. Click the Logging item under “Session” and make the options look like below (click on the image for a better look). The file will be saved wherever the PuTTy.exe file is located.
    PuTTy Logging capture settings.
  5. Click on the Connection Item, and set the Seconds between keepalives box to 30. The ShoreTel switch will kick you out after about 60 seconds, so having it send a null packet every 30 seconds is handy.
    PuTTy settings for insuring connection stays up.
  6. Go back to the Session screen and click save. Now you have a session that’s automatically configured to keep whatever output comes from your PRI switch telnet session. Don’t open the session just yet, you have to allow access to the PRI switch.
  7. Open a command prompt and type this in and hit enter: “cd pro*sho**ser*”. This will take you to the ShoreTel server directory under Program Files.
  8. Type this in the command prompt: “ipbxctl -telneton [IP address of T1 Switch] ” and hit enter.
  9. It will ask you for a password. You can google this or get it from your partner. It’s not a hard password to figure out. If it was correct it will say something like “Telnet enabled”
  10. Open the session you saved in PuTTy. It will ask you for a username and password. This item is documented in your ShoreTel administration guide under how to set up a switch.
  11. In an old switch it will probably dump you right into the VMX shell. Most newer switches will give you an ASCII ShoreTel logo and a numbered menu. If this is the case, type “gotoShell”.
  12. This will give you a prompt that looks like this ->.
  13. You’ll probably get some random output at this point so you just need to type the following commands and hit enter and keep in mind you may not be able to see what you are typing. My advice is to just type slow and not worry about it. Most switches won’t allow the use of a backspace. So just be careful.
  14. Type in the following commands one right after another.trunk_debug_level=5
  15. You’ll get a LOT of stuff just scrolling up the screen if you did this right. Now all you need to do is run it for however long you need the log for, or whatever your partner tells you to do. PuTTy will constantly dump the output in this window to a log file.


One thing I have found out is that it’s a good idea to have 7zip installed on your ShoreTel server as the log files you have to send to ShoreTel are huge. These log files will compress down very small since they are just text files and allow you to simply e-mail them to TAC or your partner.


How To Look Up Phone Service Providers By Area Code and Extension

Sometimes you need to not only know where a phone number is dialing from (area codes tell you this) but who provides the phone number, and whether it’s a cell phone or not. Typically you can get all this information from one website. Here’s how to do it and how to interpret what comes back. This works for the United States, Canada, and Caribbean countries.

This particular site gives a lot of information. It’s main use is for finding out whether a call is local or not. This can help with assigning local prefixes to your ShoreTel system. I have a script that’ll clean the site’s output up and allow you to import it into your ShoreTel system. If anyone wants it please comment and I’ll post it!

  1. Go to Local Calling Guide
  2. Click on the Area Code/Prefix link under the search section to the right.
  3. Type in the area code in the NPA box, and the prefix into the NXX box. If you know the first digit of the last four digits of the phone number you can put it in the block box but that isn’t needed.
  4. Click on Submit


You’ll get a table of items back. This is how you tell what kind of phone number this is.

The NPA-NXX-X block is the area code/prefix blocks. In the case above Pathwayz has the entire 806-350 block. If multiple carriers own a block it will look something like 806-350-1, 806-350-2, and it would have who owns each block listed next to it. If your phone number was 806-350-1xxx it would be in the 1 block.

The Rate Centre box will tell you what city the phone number is located in.  The Region box will show a state. The Switch is what switch the phone number is on. If the Switch is blank, many times this is a cell phone but that’s not always a good indicator.

The OCN will give you the carrier of the phone. This is how you tell whether it’s a cell phone or a land line. If it says something like “Southwestern Bell” it’s usually a landline, if it’s a cell phone it will give a wireless company’s name, and will usually have “wireless” or “cell” in the name. Verizon wireless will show up as “Verizon Wireless” but their land lines will show up as just “Verizon” most of the time. The example above is a land line block from a local phone company.

The LATA code is used to figure long distance rates. I have no idea what this means in Canada, but in the US that’s what it means on a basic level. This isn’t always exact either so click on the block link for local vs. long distance calls, not trying to match the LATA.

The other fields aren’t very important but can tell  you when a block of numbers was discontinued. I haven’t ever seen these filled in, but in bigger cities they might be.

The map link will give you a Google Map of where the rate center is. Not terribly useful but convenient.


Create Facebook Schedule With Cyberoam

I’ve noticed a lot of people asking about how to schedule when a user can or can’t use Facebook. This is pretty easy to do in Cyberoam, you can either do it globally, or on a per user basis. I’ll show you how to do this on a global basis. If you want to do this on a per user basis then you just need to make individual policies for your users. The steps below can apply to any website, not just Facebook.

Step 1 – Log into your Cyberoam and go to the web filter section and select categories. Add one called “ScheduledSafeSites”. This will be for anything you want to allow during a certain time, if you want to block them name the category “ScheduledBlockedSites”. Personally I think only one for safe sites is necessary but I can see blocking say, during the day and let the night guy watch it. I went ahead and added “” to mine as an example. You can add, or whatever you want here. Just like you would add sites to any other category.

Step 2 – Check policy you want this added to and change both settings to “allow”. This is just the HTTP or HTTPS allow/deny settings.

Step 3 – Go into the Policy setting under Web Filter and open up the policy you added the category to. Click the little wrench icon next to the new category.

Step 4 – You can then select an right schedule. This particular example uses work hours, which is by default 10am to 7pm. You can go into the objects menu on the Cyberoam and edit or create any sort of schedule you want.

Step 5 – Hit ok and save your changes, your users will now only be able to get to the site when you want.

Notes: For this to work properly you need to make sure your Cyberoam’s time is correct. I’ve had a couple of instances where the time was off due to someone picking the wrong time zone during the first setup. If you are getting people who can get to the blocked site earlier than normal, go to the system menu and click on configuration. Most of the time it’s the time zone that is wrong, just find the right one.

Sometimes during the initial setup the Cyberoam appliance will figure out what time zone it’s in based on the internet IP address, but if you have a weird ISP it might find the wrong one. It isn’t entirely human error that causes this and it’s really easy to miss.