[cisco-voip] setting up firewall security for jabber and/of IP Communicator

Tim Smith tim.smith at enject.com.au
Mon May 18 03:43:50 EDT 2015


Hey mate,

I’ve used SCCP and SIP inspection in the past

Bit rusty maybe, but here is the jist


-          If you have a firewall with Jabber clients on one side, phones on the other, and maybe a CUCM in a separate segment, maybe even a voice gateway in another segment

-          With SIP/SCCP inspection

-          So you only build an ACL tha permits Jabber to talk to CUCM on SIP for instance

-          You don’t open UDP RTP range

-          The ASA listens to the call setups, and figures out the endpoints involved and what ports will be used, it then dynamically opens the RTP ports

-          So instead of having a massive gap in firewall for RTP / UDP, you are opening it only when needed and much more limited

-          You are also opening it in a trusted kind of way to some degree.. i.e. based on who you allow to speak SIP / SCCP to your CUCM’s


It’s really the same concept for SIP and SCCP

One additional thing with SIP, is that it can also fix NAT issues..
I.e. it inspects the actual SIP message content and performs NAT on the private IP addresses.. so you don’t send an INVITE to the internet telling them to hit you up on 192.168.1.196 for example.. as it passes through – the ASA would replace this with your NAT’d address

Why the versions are important is because in the ASA, the inspection engine has to understand the signalling protocol.. i.e. it’s written to the current versions of protocol. If a new one comes out and something changes, then the inspection engine may need to be updated to understand the new version and take different actions.
So pretty sure people have been caught out with upgrading CUCM and phones, and SCCP version has changed and the ASA doesn’t understand it and doesn’t open RTP ports where it should do anymore.

So you will need to confirm your versions to make sure everyone is talking same language.

Also firewall needs to be in path of signalling between devices and CUCM, so it can see whats going on, and it would only work if it’s that same firewall that separates end points.
And also, obviously if end points are on same side of firewall then it won’t need to open anything.

The alternative, is just to open up your RTP ranges (as long as NAT is not involved)
If you do use the inspection, it places a dependency on your firewall that you need to consider along with any of your UC changes.

Cheers,

Tim


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Saturday, 16 May 2015 1:58 AM
To: cisco-voip voyp list
Subject: Re: [cisco-voip] setting up firewall security for jabber and/of IP Communicator


just reading up on the ASA options....

anyone using SCCP or SIP inspection? I'm not sure exactly when I would need to enable that.

funny thing, as of ASA 9.3 it says SCCP inspection is not supported for CUCM 8.5 or CUCM 9.x. we're at ASA 9.1(x) and that document doesn't say anything about it not being supported for those particular CUCM versions.

Lelio


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519‐824‐4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

________________________________
From: "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
To: "cisco-voip voyp list" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Thursday, May 14, 2015 2:30:48 PM
Subject: setting up firewall security for jabber and/of IP Communicator

I'm about to set up firewall security so Jabber clients (and IP Communicator) can access the telephony servers (CUCM, Connection, IM&P, UCCx, etc) and I was hoping to get some ideas as to what others have done and if I'm missing anything obvious here. I'm using the CUCM/IM&P port list as well as the Jabber deployment guide to get the Jabber port list. For the firewall, we are using an ASA appliance pair, v 9.1(3).

Typically we build the ACL statements with the source address object group coupled with destination address object group and the destination port object group. I don't think there is a need to build the ACL with a source port object group at this time.

I've also been told that we might have some multicast limitations with the firewall, basically, multicast traffic can't pass through our firewall.

Any comments would be helpful. But I'm wondering, specifically:

  *   Are people deploying IP Communicator still? For all the benefits of Jabber, I don't see it as a replacement for a softphone with access to all the buttons and apps that are available, like services, directories, conference/join, etc. Does UCCx work with Jabber for example?
  *   What have others done for firewall ACL building? Is there a firewall feature set I'm not aware of that will simplify my life?
  *   Are there any multicast requirements when deploying Jabber and IPCommunicator? Aside from MoH?
Thanks in advance for any help!

Lelio


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519‐824‐4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150518/b14a3342/attachment.html>


More information about the cisco-voip mailing list