[cisco-voip] setting up firewall security for Jabber and/or IP Communicator

[Pawlowski, Adam]

Brian:

>If so, you'll want to use a Collab Edge architecture as it's not safe to open up CUCM/IM&P directly.

On this sort of campus, I still struggle with this concept. Network access isn't "controlled" with 100% lockdown hosts and computers. I can't see anyone buying a hybrid model where some subnets where we trust users are let right in, and others out, but obviously running a giant "collab edge" for the entire enterprise isn't happening either.

Are we just trying to block SIP/H323 scanners and other guff from coming in mainly?

Lelio:

Re IP-Communicator - we still "offer" this but it has about 0 usage now. The novelty of it has worn off for most people who wanted it initially. IIRC UCCX works with jabber if you use "your extension" as your agent extension. You can probably use hunt/translation to throw other calls at that extension to get around the single extension limitation. This usually seems to work when I've played with it in the lab.

There is no auth/pinhole appliance that I'm aware of for Cisco out of the box. The CUBE line side proxy is going to be discontinued in favor of Expressway I hear (good), though that would have been your best bet there. 

If you use IP Communicator outside of our networks you have to use our Cisco Anyconnct SSL VPN to get back in here. Last time I tried this (Windows 8.1) it no longer was able to figure out that I was on a NAT and had me registering with my local private address so it obviously didn't work properly at all.