[cisco-voip] IOS access-lists to hide callmanager/unity/personal assistant?

[Voigt Thomas]

Hi!

Ryan Ratliff wrote:

> What do you mean by migrate the servers to their active directory?   
> Is this as a member of the domain or simply an ldap integration to AD?

The CCM, PA, UNITY should be members of the domain.

> You have to remove the server from the domain each time you do an  
> upgrade and (as you are already aware) you have to verify the domain  
> security policies does not break CM (including pushing apps and/or  
> security patches).   For most folks the extra 2 reboots every time  
> you want to patch is enough to keep them out of the domain.

That's why I'd like to "hide" the servers from the network and allow
only access
from the ip phones, gateways and so on. Also HTTP access from the client
pcs should be
allowed.

My current concept is to add some access-lists to the gateway on every
voip subnet:

- allow ALL traffic from/to ip phone segments (there are only ip phones,
gateways and PUB+SUB, UNITY, PA within)
- allow HTTP/HTTPS traffic from any to CCM, UNITY, PA
- allow IMAP traffic from any to UNITY
- allow RDP/VNC traffic from admin to CCM, UNITY, PA
- deny any any

Is there any missing?
 

-- 
Regards

Thomas Voigt