[cisco-voip] setting up firewall security for jabber and/of IP Communicator

Lelio Fulgenzi lelio at uoguelph.ca
Thu May 14 15:11:01 EDT 2015 

Thanks Brian. 


Right now, it's going to be for on-campus users only. We are re-evaluating our NAC solution, so for now, it's going to be limited to a few hard coded subnets that we will be "trusting" (eeeeeeek). I'm hoping that our NAC solution will have some sort of way to ensure that only certain groups of users will be allowed through, but that's for another day. 


What do you mean by Collab Edge architecture though? Do you mean ExpressWay C/E? If so, yes, we're going to be looking at that as well as part of the phased approach. Although without a split DNS deployment, we might have some issues. :( 


I'm hoping that through some ingenious configuration, we might actually be able to use the EW on-campus for some devices that are can't negotiate voice VLANs properly. 


Do you see IPCommunicator living a long life? Or has it seen the last of days? 








--- 
Lelio Fulgenzi, B.A. 
Senior Analyst, Network Infrastructure 
Computing and Communications Services (CCS) 
University of Guelph 

519‐824‐4120 Ext 56354 
lelio at uoguelph.ca 
www.uoguelph.ca/ccs 
Room 037, Animal Science and Nutrition Building 
Guelph, Ontario, N1G 2W1 

----- Original Message -----

From: "Brian Meade" <bmeade90 at vt.edu> 
To: "Lelio Fulgenzi" <lelio at uoguelph.ca> 
Cc: "cisco-voip voyp list" <cisco-voip at puck.nether.net> 
Sent: Thursday, May 14, 2015 2:47:20 PM 
Subject: Re: [cisco-voip] setting up firewall security for jabber and/of IP Communicator 


No multi-line support or extension mobility on Jabber which means most people can't use it for UCCX yet. You can use it as long as you don't need EM or multiple lines for your agents. 


Are you opening it up for people connecting remotely without VPN? If so, you'll want to use a Collab Edge architecture as it's not safe to open up CUCM/IM&P directly. 


If it's just for internal users, you should be good to go with the ACLs. 


You shouldn't need to worry about any multicast for Jabber/CIPC outside of MMOH which you mentioned. 


On Thu, May 14, 2015 at 2:30 PM, Lelio Fulgenzi < lelio at uoguelph.ca > wrote: 







I'm about to set up firewall security so Jabber clients (and IP Communicator) can access the telephony servers (CUCM, Connection, IM&P, UCCx, etc) and I was hoping to get some ideas as to what others have done and if I'm missing anything obvious here. I'm using the CUCM/IM&P port list as well as the Jabber deployment guide to get the Jabber port list. For the firewall, we are using an ASA appliance pair, v 9.1(3). 


Typically we build the ACL statements with the source address object group coupled with destination address object group and the destination port object group. I don't think there is a need to build the ACL with a source port object group at this time. 


I've also been told that we might have some multicast limitations with the firewall, basically , multicast traffic can't pass through our firewall. 


Any comments would be helpful. But I'm wondering, specifically: 


    * Are people deploying IP Communicator still? For all the benefits of Jabber, I don't see it as a replacement for a softphone with access to all the buttons and apps that are available, like services, directories, conference/join, etc. Does UCCx work with Jabber for example? 
    * What have others done for firewall ACL building? Is there a firewall feature set I'm not aware of that will simplify my life? 
    * Are there any multicast requirements when deploying Jabber and IPCommunicator? Aside from MoH? 


Thanks in advance for any help! 


Lelio 




--- 
Lelio Fulgenzi, B.A. 
Senior Analyst, Network Infrastructure 
Computing and Communications Services (CCS) 
University of Guelph 

519‐824‐4120 Ext 56354 
lelio at uoguelph.ca 
www.uoguelph.ca/ccs 
Room 037, Animal Science and Nutrition Building 
Guelph, Ontario, N1G 2W1 


_______________________________________________ 
cisco-voip mailing list 
cisco-voip at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150514/8c5e167d/attachment.html>

More information about the cisco-voip mailing list